Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-0746EF21FB57269306F975E13A419E12

HistoryJun 06, 2023 - 12:00 a.m.

Inefficient Regular Expression Complexity

2023-06-0600:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

regular expression

denial of service

redos

vulnerability

redcloth gem

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

46.7%

JSON

A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Affected configurations

Vulners

Node

gemredclothRange≤4.3.2

VendorProductVersionCPE
gemredcloth*cpe:2.3:a:gem:redcloth:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gem	redcloth	*	cpe:2.3:a:gem:redcloth::::::::

References

github.com/advisories/GHSA-qcm3-vfq5-wfr2

github.com/e23e/CVE-2023-31606#readme

github.com/jgarber/redcloth

github.com/jgarber/redcloth/blob/v4.3.2/lib/redcloth/formatters/html.rb#L327

github.com/jgarber/redcloth/issues/73

github.com/rubysec/ruby-advisory-db/blob/master/gems/RedCloth/CVE-2023-31606.yml

lists.debian.org/debian-lts-announce/2023/07/msg00002.html

nvd.nist.gov/vuln/detail/CVE-2023-31606

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

46.7%

JSON

Related for GITLAB-0746EF21FB57269306F975E13A419E12