Lucene search

GitHub Advisory DatabaseGHSA-3X9F-74H4-2FQR

HistoryJul 22, 2021 - 7:48 p.m.

Denial of Service in SheetJS Pro

2021-07-2219:48:17

CWE-400

GitHub Advisory Database

github.com

101

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

28.7%

JSON

SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).

Affected configurations

Vulners

Node

org.webjars.npm\Matchxlsx

xlsxRange<0.17.0

CPENameOperatorVersion
org.webjars.npm:xlsxlt0.17.0
xlsxlt0.17.0

CPE	Name	Operator	Version
	org.webjars.npm:xlsx	lt	0.17.0
	xlsx	lt	0.17.0

References

floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/

github.com/advisories/GHSA-3x9f-74h4-2fqr

nvd.nist.gov/vuln/detail/CVE-2021-32012

sheetjs.com/pro

www.npmjs.com/package/xlsx/v/0.17.0

www.oracle.com/security-alerts/cpujan2022.html

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

28.7%

JSON

Related for GHSA-3X9F-74H4-2FQR