Lucene search

GitHub_MCVELIST:CVE-2023-23925

HistoryFeb 03, 2023 - 7:05 p.m.

CVE-2023-23925 Switcher Client contains Regular Expression Denial of Service (ReDoS)

2023-02-0319:05:30

CWE-1333

CWE-400

GitHub_M

www.cve.org

switcher client

redos

vulnerability

patch

regex

exist

not_exist

strategy

sdk

javascript

cloud-based

feature flag

version 3.1.4

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.9%

JSON

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround, avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

CNA Affected

[
  {
    "vendor": "switcherapi",
    "product": "switcher-client-master",
    "versions": [
      {
        "version": "< 3.1.4",
        "status": "affected"
      }
    ]
  }
]

References

github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4

github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wqxw-8h5g-hq56

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.9%

JSON

Related for CVELIST:CVE-2023-23925