Lucene search

GitHub Advisory DatabaseGHSA-RGQX-226F-2XP4

HistorySep 21, 2022 - 12:00 a.m.

steal Inefficient Regular Expression Complexity vulnerability via string variable

2022-09-2100:00:38

CWE-1333

GitHub Advisory Database

github.com

vulnerability

regular expression

complexity

stealjs 2.2.4

redos

flaw

string variable

babel.js

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.6%

JSON

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js.

Affected configurations

Vulners

Node

stealjsstealRange≤2.3.0

VendorProductVersionCPE
stealjssteal*cpe:2.3:a:stealjs:steal:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
stealjs	steal	*	cpe:2.3:a:stealjs:steal::::::::

References

github.com/advisories/GHSA-rgqx-226f-2xp4

github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L54124

github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L54129

github.com/stealjs/steal/issues/1528

nvd.nist.gov/vuln/detail/CVE-2022-37259

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.6%

JSON

Related for GHSA-RGQX-226F-2XP4