Lucene search

GitHub Advisory DatabaseGHSA-WQXW-8H5G-HQ56

HistoryFeb 02, 2023 - 1:33 a.m.

Switcher Client contains Regular Expression Denial of Service (ReDoS)

2023-02-0201:33:06

CWE-400

CWE-1333

GitHub Advisory Database

github.com

switcher client

redos

regular expression denial of service

3.1.4

strategy match operation

exist

patched

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

0.001 Low

EPSS

Percentile

37.9%

JSON

Impact

Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

Patches

Patched in 3.1.4

Workarounds

Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

Affected configurations

Vulners

Node

switcherclientRange<3.1.4

CPENameOperatorVersion
switcher-clientlt3.1.4

CPE	Name	Operator	Version
	switcher-client	lt	3.1.4

References

github.com/advisories/GHSA-wqxw-8h5g-hq56

github.com/switcherapi/switcher-client-master/commit/374752563d6ce9353ee592b40c809c8136f24930

github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4

github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wqxw-8h5g-hq56

nvd.nist.gov/vuln/detail/CVE-2023-23925

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

0.001 Low

EPSS

Percentile

37.9%

JSON

Related for GHSA-WQXW-8H5G-HQ56