Lucene search

[email protected]NVD:CVE-2022-35923

HistoryAug 02, 2022 - 8:15 p.m.

CVE-2022-35923

2022-08-0220:15:09

CWE-400

CWE-1333

[email protected]

web.nvd.nist.gov

v8n javascript library

inefficient regular expression

denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.0%

JSON

v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the lowercase() and uppercase() regex which could lead to a denial of service attack. In testing of the lowercase() function a payload of ‘a’ + ‘a’.repeat(i) + ‘A’ with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue.

Affected configurations

Nvd

Node

v8n_projectv8nRange<1.5.1node.js

VendorProductVersionCPE
v8n_projectv8n*cpe:2.3:a:v8n_project:v8n:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
v8n_project	v8n	*	cpe:2.3:a:v8n_project:v8n::::::node.js::*

References

github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9

github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9

huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.0%

JSON

Related for NVD:CVE-2022-35923

osv2 veracode1 cvelist1 prion1 github1 cve1 huntr1