CVE-2022-21222

2022-09-3005:15:08

Debian Security Bug Tracker

security-tracker.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.0%

JSON

The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

OSVersionArchitecturePackageVersionFilename
Debian12allnode-css-what< 5.0.1-1node-css-what_5.0.1-1_all.deb
Debian11allnode-css-what< 4.0.0-3+deb11u1node-css-what_4.0.0-3+deb11u1_all.deb
Debian10allnode-css-what< 2.1.0-1+deb10u1node-css-what_2.1.0-1+deb10u1_all.deb
Debian999allnode-css-what< 5.0.1-1node-css-what_5.0.1-1_all.deb
Debian13allnode-css-what< 5.0.1-1node-css-what_5.0.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	node-css-what	< 5.0.1-1	node-css-what_5.0.1-1_all.deb
Debian	11	all	node-css-what	< 4.0.0-3+deb11u1	node-css-what_4.0.0-3+deb11u1_all.deb
Debian	10	all	node-css-what	< 2.1.0-1+deb10u1	node-css-what_2.1.0-1+deb10u1_all.deb
Debian	999	all	node-css-what	< 5.0.1-1	node-css-what_5.0.1-1_all.deb
Debian	13	all	node-css-what	< 5.0.1-1	node-css-what_5.0.1-1_all.deb