CVE-2022-21222

2022-09-3005:15:08

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.0%

JSON

The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

CPENameOperatorVersion
css-whateq0.4.7
css-whateq2.0.1
css-whateq0.4.6
css-whateq0.4.3
css-whateq0.4.4
css-whateq2.1.2
css-whateq2.1.0
css-whateq0.4.5
css-whateq2.0.0
css-whateq2.0.2

Name	Operator	Version
css-what	eq	0.4.7
css-what	eq	2.0.1
css-what	eq	0.4.6
css-what	eq	0.4.3
css-what	eq	0.4.4
css-what	eq	2.1.2
css-what	eq	2.1.0
css-what	eq	0.4.5
css-what	eq	2.0.0
css-what	eq	2.0.2