Lucene search

GitHub Advisory DatabaseGHSA-7F3X-2WCX-HWW8

HistorySep 16, 2022 - 12:00 a.m.

steal vulnerable to Regular Expression Denial of Service via input variable

2022-09-1600:00:31

CWE-1333

GitHub Advisory Database

github.com

vulnerable

regular expression denial of service

stealjs

input variable

main.js

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.6%

JSON

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal via the input variable in main.js.

Affected configurations

Vulners

Node

stealjsstealRange≤2.3.0

VendorProductVersionCPE
stealjssteal*cpe:2.3:a:stealjs:steal:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
stealjs	steal	*	cpe:2.3:a:stealjs:steal::::::::

References

github.com/advisories/GHSA-7f3x-2wcx-hww8

github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L2490

github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L3344

github.com/stealjs/steal/issues/1529

nvd.nist.gov/vuln/detail/CVE-2022-37260

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.6%

JSON

Related for GHSA-7F3X-2WCX-HWW8