VWE-2017-3979 Printable Version

https://www.vaultwiki.org/pages/Book/Documentation/VWE-2017-3979
This page is a chapter in Info Known Vulnerabilities

This page has been seen 202,556 times.

    • Created by on
      Last updated by on
Common NameNone
VWE-IDVWE-2017-3979
Related Report#5026
SeverityHIGH
Exploit DifficultyEASY
PlatformAffects all platforms supported by the vulnerable versions.
DescriptionDecompression Bomb. Does not affect Lite versions.
DiscoveredRelated issue: April 28, 2017
Proof of concept: August 9, 2017
ResolvedSeptember 13, 2017
Patches Available4.0.19 Patch Level 1
4.0.18 Patch Level 2
4.0.17 Patch Level 4
4.0.16 Patch Level 5
4.0.15 Patch Level 9
4.0.14 Patch Level 12
WorkaroundFor versions 4.0.14 and later, perform the following:
  1. Set Options > VaultWiki: Content Types > Maximum Disk Usage for All Attachments (MB) = 0. This will reject all new uploads.
  2. Set Options > VaultWiki: Miscellaneous > Maximum Disk Usage for All Proxy Images (MB) = 0. This will disable the external image proxy.
After applying a patch, restore these settings to reactivate uploads and proxying.

There is no workaround for versions 4.0.13 and earlier. They are no longer supported; update to a more recent version and perform the steps above.
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.