Lucene search

GitHub Advisory DatabaseGHSA-3RH3-WFR4-76MJ

HistoryApr 06, 2021 - 5:28 p.m.

Regular expression Denial of Service in multiple packages

2021-04-0617:28:41

CWE-400

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.005 Low

EPSS

Percentile

76.0%

JSON

Impact

A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0.

Patches

The problem has been recognized and patched. The fix will be available in version 27.0.0.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 5 team would like to thank Yeting Li for recognizing and reporting these vulnerabilities.

Affected configurations

Vulners

Node

ckeditorckeditor5-widgetRange≤26.0.0node.js

ckeditorckeditor5-paste-from-officeRange≤26.0.0node.js

ckeditorckeditor5-media-embedRange≤26.0.0node.js

ckeditorckeditor5-markdown-gfmRange≤26.0.0node.js

ckeditorckeditor5-listRange≤26.0.0node.js

ckeditorckeditor5-imageRange≤26.0.0node.js

ckeditorckeditor5-fontRange≤26.0.0node.js

ckeditorckeditor5-engineRange≤26.0.0node.js

CPENameOperatorVersion
@ckeditor/ckeditor5-widgetle26.0.0
@ckeditor/ckeditor5-paste-from-officele26.0.0
@ckeditor/ckeditor5-media-embedle26.0.0
@ckeditor/ckeditor5-markdown-gfmle26.0.0
@ckeditor/ckeditor5-listle26.0.0
@ckeditor/ckeditor5-imagele26.0.0
@ckeditor/ckeditor5-fontle26.0.0
@ckeditor/ckeditor5-enginele26.0.0

Name	Operator	Version
@ckeditor/ckeditor5-widget	le	26.0.0
@ckeditor/ckeditor5-paste-from-office	le	26.0.0
@ckeditor/ckeditor5-media-embed	le	26.0.0
@ckeditor/ckeditor5-markdown-gfm	le	26.0.0
@ckeditor/ckeditor5-list	le	26.0.0
@ckeditor/ckeditor5-image	le	26.0.0
@ckeditor/ckeditor5-font	le	26.0.0
@ckeditor/ckeditor5-engine	le	26.0.0

References

github.com/advisories/GHSA-3rh3-wfr4-76mj

github.com/ckeditor/ckeditor5/releases/tag/v27.0.0

github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj

nvd.nist.gov/vuln/detail/CVE-2021-21391

www.npmjs.com/package/@ckeditor/ckeditor5-engine

www.npmjs.com/package/@ckeditor/ckeditor5-font

www.npmjs.com/package/@ckeditor/ckeditor5-image

www.npmjs.com/package/@ckeditor/ckeditor5-list

www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm

www.npmjs.com/package/@ckeditor/ckeditor5-media-embed

www.npmjs.com/package/@ckeditor/ckeditor5-paste-from-office

www.npmjs.com/package/@ckeditor/ckeditor5-widget

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.005 Low

EPSS

Percentile

76.0%

JSON

Related for GHSA-3RH3-WFR4-76MJ