Lucene search

K

GitHub Advisory DatabaseGHSA-P28H-CC7Q-C4FG

HistoryOct 01, 2022 - 12:00 a.m.

css-what vulnerable to ReDoS due to use of insecure regular expression

2022-10-0100:00:24

CWE-400

GitHub Advisory Database

github.com

9

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.0%

The package css-what before 2.1.3 is vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

Affected configurations

Vulners

Node

csswhatRange<2.1.3

CPENameOperatorVersion
css-whatlt2.1.3

References

github.com/advisories/GHSA-p28h-cc7q-c4fg

github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js#23L12

github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12

github.com/fb55/css-what/commit/dc510929790da6617e7aa93a616498b22f6a6b72

lists.debian.org/debian-lts-announce/2023/03/msg00001.html

nvd.nist.gov/vuln/detail/CVE-2022-21222

security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.0%

Related for GHSA-P28H-CC7Q-C4FG

prion1 veracode1 redhatcve1 nvd1 osv4 ubuntucve1 debiancve1 cvelist1 cve1 nessus2 openvas2 debian1 ubuntu1 ibm1