SnykCVELIST:CVE-2024-21490CVE-2024-21490
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
0.001 Low
EPSS
Percentile
20.3%
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service.
Note:
This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.
CNA Affected
[
{
"product": "angular",
"versions": [
{
"version": "1.3.0",
"lessThan": "*",
"status": "affected",
"versionType": "semver"
}
],
"vendor": "n/a"
},
{
"product": "org.webjars.bower:angular",
"versions": [
{
"version": "1.3.0",
"lessThan": "*",
"status": "affected",
"versionType": "semver"
}
],
"vendor": "n/a"
},
{
"product": "org.webjars.npm:angular",
"versions": [
{
"version": "1.3.0",
"lessThan": "*",
"status": "affected",
"versionType": "semver"
}
],
"vendor": "n/a"
}
]References
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747
security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
0.001 Low
EPSS
Percentile
20.3%