DingleberryfartsH1:1538157Reddit: Regular Expression Denial of Service vulnerability
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
44.1%
Summary:
The vulnerability I have found is classified as a Regular Expression Denial of Service. While inspecting the source code file RealtimeGQLSubscriptionAsync.js I came across the node_module subscriptions-transport-ws (See Screenshot 1). The search result of the subscriptions-transport-ws package on npmjs.com displayed a large deprecation warning at the top of the page (See Screenshot 2) so I decided to research further. The read-me file within the package github repository states that the package has been largely unmaintained since 2018 and that users should migrate to graphql-ws (See Screenshot 3). Doing a quick search in the issues tab for the keyword “vulnerability” I came across an issue where the github user PabloJomer pointed out that the package.json lists a vulnerable dependency called ws (See Screenshot 4) The vulnerable package is listed on the NIST National Vulnerability Database under CVE-2021-32640 with a Base Score of 5.3. Further details and a PoC can be found on the Snyk Vulnerability database located here (See Screenshot 5).
The policy has some conflicting information so I wasn’t exactly sure about what I should do about this vulnerability. The out-of-scope section states “Previously known vulnerabilities without a working Proof of Concept” but two sections later it is states to not attempt denial of services attacks. (See screenshot 5) The vulnerability I have found is a Regular expression denial of service but I am strictly forbidden from attempting any denial of service attacks. I believe I have clearly outlined the existence of a vulnerable dependency within you domain and if given the opportunity I could successfully execute the PoC vulnerability as described in the snyk link mentioned above.
Impact:
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren’t very intuitive and can ultimately end up making it easy for attackers to take your site down.
Supporting Material/References:
OWASP - Regular expression Denial of Service - ReDos
Impact
The ReDos vulnerability can be used to take down your entire site.
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
44.1%