VYPR
← All advisories
High severityNVD Advisory· Published Sep 29, 2023· Updated Sep 23, 2024

Allocation of Resources Without Limits or Throttling in ikus060/rdiffweb

CVE-2023-5289

Description

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Rdiffweb prior to 2.8.4 lacks rate limiting on user creation and key management endpoints, enabling resource exhaustion attacks.

Vulnerability

Overview CVE-2023-5289 describes a missing rate limiting vulnerability in rdiffweb, a web-based backup management application [1]. The official description notes an "Allocation of Resources Without Limits or Throttling" issue, meaning the application does not restrict how many times certain endpoints can be called, potentially leading to resource exhaustion [2].

Exploitation

A commit that fixes this vulnerability adds rate limiting via @cherrypy.tools.ratelimit to the new() method for user creation, as well as similar protections for AccessToken and SSH Key endpoints [4]. The vulnerability could be exploited by sending a high volume of POST requests to these endpoints, either by an unauthenticated attacker or a malicious authenticated user, consuming server resources such as CPU, memory, or database connections [2][3].

Impact

Successful exploitation could lead to denial of service, making the application unresponsive or causing it to crash. This affects the availability of backup management services [2][3].

Mitigation

The issue is resolved in rdiffweb version 2.8.4, which introduces rate limiting for the susceptible endpoints. Users should upgrade to this version or later to prevent resource exhaustion attacks [2][4].

References
  1. GitHub - ikus060/rdiffweb: A simplified backup management software for quick access to your archives through an efficient web interface.
  2. NVD - CVE-2023-5289
  3. advisory-database/vulns/rdiffweb/PYSEC-2023-186.yaml at main · pypa/advisory-database
  4. Add ratelimit to AccessToken, SSH Keys, User creation · ikus060/rdiffweb@06f89b4

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rdiffwebPyPI
< 2.8.42.8.4

Affected products

2
  • ghsa-coords
    pkg:pypi/rdiffweb
    Range: < 2.8.4
  • ikus060/ikus060/rdiffwebv5
    Range: unspecified

Patches

1
06f89b43469a

Add ratelimit to AccessToken, SSH Keys, User creation

https://github.com/ikus060/rdiffwebPatrik DufresneSep 29, 2023via ghsa
commit
3 files changed · +6 6
  • rdiffweb/controller/page_admin_users.py+4 6 modified
    @@ -265,7 +265,8 @@ def index(self):
             ldap_enabled=self.app.cfg.ldap_uri,
         )
 
-    @cherrypy.expose()
+    @cherrypy.expose
+    @cherrypy.tools.ratelimit(methods=['POST'])
     def new(self, **kwargs):
         form = UserForm()
         if form.is_submitted():
@@ -282,7 +283,7 @@ def new(self, **kwargs):
                 flash(form.error_message, level='error')
         return self._compile_template("admin_user_new.html", form=form)
 
-    @cherrypy.expose()
+    @cherrypy.expose
     def edit(self, username_vpath, **kwargs):
         user = UserObject.get_user(username_vpath)
         if not user:
@@ -297,7 +298,7 @@ def edit(self, username_vpath, **kwargs):
                 flash(form.error_message, level='error')
         return self._compile_template("admin_user_edit.html", form=form)
 
-    @cherrypy.expose()
+    @cherrypy.expose
     def delete(self, username=None, **kwargs):
         # Validate form method.
         form = DeleteUserForm()
@@ -320,6 +321,3 @@ def delete(self, username=None, **kwargs):
         else:
             flash(form.error_message, level='error')
         raise cherrypy.HTTPRedirect(url_for('admin', 'users'))
-
-
-# TODO Allow configuration of notification settigns
  • rdiffweb/controller/page_pref_sshkeys.py+1 0 modified
    @@ -115,6 +115,7 @@ def populate_obj(self, userobj):
 
 class PagePrefSshKeys(Controller):
     @cherrypy.expose
+    @cherrypy.tools.ratelimit(methods=['POST'])
     def default(self, **kwargs):
         # Handle action
         add_form = SshForm()
  • rdiffweb/controller/page_pref_tokens.py+1 0 modified
    @@ -119,6 +119,7 @@ def populate_obj(self, userobj):
 
 class PagePrefTokens(Controller):
     @cherrypy.expose
+    @cherrypy.tools.ratelimit(methods=['POST'])
     def default(self, **kwargs):
         form = TokenForm()
         delete_form = DeleteTokenForm()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.