| Title | thingsboard v3.7.0 Denial of Service |
|---|
| Description | Summary: RPC Server on Compromised Device Returns Large Data, Causing DoS on Thingsboard.
Detailed Steps to Reproduce the Vulnerability:
1. Setup: Ensure you have a device that can start an RPC server and that Thingsboard platform is properly set up to communicate with this device.
2. Start RPC Server: Use the HTTP RPC API reference to start an RPC server on the device.
3. Send Request: Through the Thingsboard platform, send a request to this RPC server.
4. Malicious Response: Configure the device to return a maliciously large amount of data in response to the RPC request. Our data is create by python: error_message = "Unknown " * 5000000 + "method";response = {"error": error_message};
5. Observe Effects: Notice that the Thingsboard platform tries to handle this large response, leading to Out Of Memory (OOM) errors, and eventually causing the platform to crash. |
|---|
| Source | ⚠️ https://1drv.ms/v/s!AksJ421iyCG-mytAcEUF6WqOTwj2?e=6WAp5G |
|---|
| User | lujiefsi (UID 72362) |
|---|
| Submission | 07/24/2024 05:30 (2 years ago) |
|---|
| Moderation | 09/30/2024 19:49 (2 months later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 278887 [ThingsBoard up to 3.7.0 HTTP RPC API resource consumption] |
|---|
| Points | 20 |
|---|