GoogleOSV:GHSA-M2H2-264F-F486angular vulnerable to regular expression denial of service (ReDoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
84.5%
AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ’ '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.
Note:
- This package has been deprecated and is no longer maintained.
- The vulnerable versions are 1.7.0 and higher.
References
github.com/angular/angular.js
lists.fedoraproject.org/archives/list/[email protected]/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3
lists.fedoraproject.org/archives/list/[email protected]/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO
nvd.nist.gov/vuln/detail/CVE-2022-25844
security.netapp.com/advisory/ntap-20220629-0009
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737
snyk.io/vuln/SNYK-JS-ANGULAR-2772735
stackblitz.com/edit/angularjs-material-blank-zvtdvb
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
84.5%