References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.

AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE-400

CWE-770

https://github.com/inventree/InvenTree/commit/0826a75ef6dde0ad96d680f52a9cf171ba2ce98b

https://github.com/inventree/InvenTree/releases/tag/0.17.13

https://github.com/inventree/InvenTree/security/advisories/GHSA-m2ch-h84r-p9r6