Lucene search

[email protected]CVE-2023-32758

HistoryMay 15, 2023 - 4:15 a.m.

CVE-2023-32758

2023-05-1504:15:10

CWE-1333

[email protected]

web.nvd.nist.gov

cve-2023-32758

giturlparse

git-url-parse

semgrep

nvd

security vulnerability

regular expression denial of service

redos

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

39.7%

JSON

giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package’s author placed a ReDoS attack payload in a URL used by the package.

Affected configurations

NVD

Node

semgrepsemgrepRange≤1.21.0

AND

coalagit-url-parseRange≤1.2.2

CPENameOperatorVersion
coala:git-url-parsecoala git-url-parsele1.2.2

CPE	Name	Operator	Version
coala:git-url-parse	coala git-url-parse	le	1.2.2

References

github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53

github.com/returntocorp/semgrep/pull/7611

github.com/returntocorp/semgrep/pull/7943

github.com/returntocorp/semgrep/pull/7955

pypi.org/project/git-url-parse

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

39.7%

JSON

Related for CVE-2023-32758

osv3 veracode1 prion2 cvelist2 github2 nvd2 cve1