Lucene search

GitHub_MCVELIST:CVE-2024-45813

HistorySep 18, 2024 - 4:47 p.m.

CVE-2024-45813 ReDoS vulnerability in multiparametric routes in find-my-way

2024-09-1816:47:57

CWE-1333

GitHub_M

www.cve.org

cve-2024-45813

find-my-way

redos

vulnerability

multiparametric

routes

http router

radix tree

denial of service

update

v8.2.2

v9.0.1

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

16.4%

JSON

find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it’s framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a - at the end, like /:a-:b-. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.

CNA Affected

[
  {
    "vendor": "delvedor",
    "product": "find-my-way",
    "versions": [
      {
        "version": "< 8.2.2",
        "status": "affected"
      },
      {
        "version": "= 9.0.0",
        "status": "affected"
      }
    ]
  }
]

References

blakeembrey.com/posts/2024-09-web-redos

github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440

github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

16.4%

JSON

Related for CVELIST:CVE-2024-45813