Lucene search

GitHub Advisory DatabaseGHSA-QCM3-VFQ5-WFR2

HistoryJun 06, 2023 - 6:30 p.m.

RedCloth Regular Expression Denial of Service issue

2023-06-0618:30:20

CWE-1333

GitHub Advisory Database

github.com

redcloth gem

regular expression denial of service

denial of service

vulnerability

sanitize_html

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.7%

JSON

A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of RedCloth gem. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Affected configurations

Vulners

Node

redclothRange<4.3.3

VendorProductVersionCPE
*redcloth*cpe:2.3:a:*:redcloth:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	redcloth	*	cpe:2.3:a::redcloth::::::::*

References

github.com/advisories/GHSA-qcm3-vfq5-wfr2

github.com/e23e/CVE-2023-31606#readme

github.com/jgarber/redcloth

github.com/jgarber/redcloth/blob/v4.3.2/lib/redcloth/formatters/html.rb#L327

github.com/jgarber/redcloth/commit/8b1327688fef8e6617792054ef299d7bc74c0a1e

github.com/jgarber/redcloth/issues/73

github.com/rubysec/ruby-advisory-db/blob/master/gems/RedCloth/CVE-2023-31606.yml

lists.debian.org/debian-lts-announce/2023/07/msg00002.html

nvd.nist.gov/vuln/detail/CVE-2023-31606

security.gentoo.org/glsa/202401-14

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.7%

JSON

Related for GHSA-QCM3-VFQ5-WFR2