Lucene search

GoogleOSV:GHSA-4X5V-GMQ8-25CH

HistoryJun 03, 2022 - 12:01 a.m.

Regular expression denial of service in semver-regex

2022-06-0300:01:00

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

35.9%

JSON

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

CPENameOperatorVersion
semver-regexge4.0.0
semver-regexlt4.0.3
semver-regexlt3.1.4

Name	Operator	Version
semver-regex	ge	4.0.0
semver-regex	lt	4.0.3
semver-regex	lt	3.1.4

References

github.com/sindresorhus/semver-regex

github.com/sindresorhus/semver-regex/commit/d8ba39a528c1027c43ab23f12eec28ca4d40dd0c

nvd.nist.gov/vuln/detail/CVE-2021-43307

research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

35.9%

JSON

Related for OSV:GHSA-4X5V-GMQ8-25CH