Lucene search

GitHub Advisory DatabaseGHSA-PMG9-P9R2-6Q87

HistoryJul 24, 2018 - 7:46 p.m.

ReDoS via long UserAgent header in ua-parser

2018-07-2419:46:37

CWE-400

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.009 Low

EPSS

Percentile

82.9%

JSON

Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header.

Recommendation

No patch is currently available for this vulnerability.

The best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as useragent.

Affected configurations

Vulners

Node

uaparserRange≤0.3.5

CPENameOperatorVersion
ua-parserle0.3.5

CPE	Name	Operator	Version
	ua-parser	le	0.3.5

References

github.com/advisories/GHSA-pmg9-p9r2-6q87

nvd.nist.gov/vuln/detail/CVE-2017-16086

www.npmjs.com/advisories/316

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.009 Low

EPSS

Percentile

82.9%

JSON

Related for GHSA-PMG9-P9R2-6Q87