Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd596c5446-0ce5-4ba2-aa66-48b3b757a647NVD:CVE-2024-4067
HistoryMay 14, 2024 - 3:42 p.m.

CVE-2024-4067

2024-05-1415:42:47
CWE-1333
596c5446-0ce5-4ba2-aa66-48b3b757a647
web.nvd.nist.gov
npm package
micromatch
regular expression denial of service
redos
greedy matching
vulnerability
index.js
code fix
mitigation

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn’t find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won’t start backtracking the regular expression due to greedy matching.

Related

vulnrichment 1
ubuntucve 1
cvelist 1
veracode 1
cve 1
debiancve 1
cbl_mariner 1
redhatcve 1
ibm 3
nessus 1
vulnrichment
vulnrichment
CVE-2024-4067 Regular Expression Denial of Service in micromatch
2024-05-13 10:04:42
ubuntucve
ubuntucve
CVE-2024-4067
2024-05-14 00:00:00
cvelist
cvelist
CVE-2024-4067 Regular Expression Denial of Service in micromatch
2024-05-13 10:04:42
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2024-05-31 05:28:55
cve
cve
CVE-2024-4067
2024-05-14 15:42:47
debiancve
debiancve
CVE-2024-4067
2024-05-14 15:42:47
cbl_mariner
cbl_mariner
CVE-2024-4067 affecting package reaper for versions less than 3.1.1-9
2024-06-06 19:53:22
redhatcve
redhatcve
CVE-2024-4067
2024-05-15 12:25:41
ibm
ibm
Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to Node.js micromatch & braces modules (CVE-2024-4067 & CVE-2024-4068)
2024-06-14 10:40:40
Security Bulletin: IBM Edge Application Manager 4.5.6 addresses the security vulnerabilities listed in the CVEs below.
2024-06-26 14:33:10
Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by Multiple Security Vulnerabilities
2024-05-31 06:13:11
nessus
nessus
RHEL 6 : pcs (Unpatched Vulnerability)
2024-06-03 00:00:00

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON
Related for NVD:CVE-2024-4067
vulnrichment1ubuntucve1cvelist1veracode1cve1debiancve1cbl_mariner1redhatcve1ibm3nessus1