Denial of Service in uap-core when processing crafted User-Agent strings

2020-03-10T18:02:49
ID GHSA-PCQQ-5962-HVCW
Type github
Reporter GitHub Advisory Database
Modified 2020-03-10T18:02:49

Description

Impact

Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.

Patches

Please update uap-ruby to >= v2.6.0

For more information

https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p

Reported in uap-core by Ben Caller @bcaller