Lucene search

GitHub Advisory DatabaseGHSA-V63Q-HGQC-QVPG

HistoryJan 03, 2023 - 6:30 p.m.

MooTools Regular Expression Denial of Service

2023-01-0318:30:25

CWE-400

CWE-1333

GitHub Advisory Database

github.com

mootools

javascript

redos

vulnerability

css selector

parser

jquery

patches

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

37.2%

JSON

MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite common with e.g. jQuery CSS selectors. No patches are available for this issue.

Affected configurations

Vulners

Node

mootoolsmootoolsRange≤1.5.2

VendorProductVersionCPE
mootoolsmootools*cpe:2.3:a:mootools:mootools:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mootools	mootools	*	cpe:2.3:a:mootools:mootools::::::::

References

github.com/advisories/GHSA-v63q-hgqc-qvpg

nvd.nist.gov/vuln/detail/CVE-2021-32821

securitylab.github.com/advisories/GHSL-2020-345-redos-mootools

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

37.2%

JSON

Related for GHSA-V63Q-HGQC-QVPG