CVE-2023-25822

Description

### Impact ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable "ltree" field type indexing limit (path length>=120 approximately, recursive nesting of the nested steps). REINDEX INDEX path_gist_idx and path_idx aren't helped. ### Patches The problem was fixed in `service-api` module of version `5.10.0` (product release [23.2](https://reportportal.io/docs/releases/Version23.2/)), where the maximum number of nested elements were programmatically limited. ### Workarounds After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal is working properly.

How to fix CVE-2023-25822

To remediate CVE-2023-25822, upgrade the affected package to a fixed version below.

• —upgrade to 5.10.0 or later

Is CVE-2023-25822 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 5.10.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-25822
• PATCHgithub.com/reportportal/reportportal
• WEBgithub.com/reportportal/reportportal/releases/tag/v23.2
• WEBgithub.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9