Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2021-21267
HistoryMar 19, 2021 - 9:15 p.m.

CVE-2021-21267

2021-03-1921:15:12
CWE-400
CWE-20
GitHub_M
web.nvd.nist.gov
67
7
schema-inspector
npm package
js objects
validation
email address
vulnerability
denial-of-service
dos
redos
upgrade

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.007

Percentile

79.9%

JSON

Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn’t vulnerable to ReDoS.

Affected configurations

Nvd
Vulners
Node
schema-inspector_projectschema-inspectorRange<2.0.0node.js
Node
netappe-series_performance_analyzerMatch-
OR
netapponcommand_insightMatch-
VendorProductVersionCPE
schema-inspector_projectschema-inspector*cpe:2.3:a:schema-inspector_project:schema-inspector:*:*:*:*:*:node.js:*:*
netappe-series_performance_analyzer-cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
netapponcommand_insight-cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "schema-inspector",
    "vendor": "schema-inspector",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.0.0"
      }
    ]
  }
]

Social References

More

Related

nodejs 1
osv 2
veracode 1
cvelist 1
prion 1
nvd 1
github 1
nodejs
nodejs
Regular Expression Denial of Service
2021-03-19 20:19:12
osv
osv
Regular Expression Denial-of-Service in npm schema-inspector
2021-03-19 20:14:21
CVE-2021-21267
2021-03-19 21:15:12
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-03-22 01:37:17
cvelist
cvelist
CVE-2021-21267 Regular Expression Denial-of-Service in npm schema-inspector
2021-03-19 20:25:13
prion
prion
Input validation
2021-03-19 21:15:00
nvd
nvd
CVE-2021-21267
2021-03-19 21:15:12
github
github
Regular Expression Denial-of-Service in npm schema-inspector
2021-03-19 20:14:21

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.007

Percentile

79.9%

JSON
Related for CVE-2021-21267
nodejs1osv2veracode1cvelist1prion1nvd1github1