GitHub Advisory DatabaseGHSA-486F-HJJ9-9VHHInefficient Regular Expression Complexity in Loofah
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
37.3%
Summary
Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Severity
The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
- CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
- https://hackerone.com/reports/1684163
Credit
This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
References
github.com/advisories/GHSA-486f-hjj9-9vhh
github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
hackerone.com/reports/1684163
lists.debian.org/debian-lts-announce/2023/09/msg00011.html
nvd.nist.gov/vuln/detail/CVE-2022-23514
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
37.3%