Lucene search

K

GoogleOSV:GHSA-P28H-CC7Q-C4FG

HistoryOct 01, 2022 - 12:00 a.m.

css-what vulnerable to ReDoS due to use of insecure regular expression

2022-10-0100:00:24

Google

osv.dev

11

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.0%

The package css-what before 2.1.3 is vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

CPENameOperatorVersion
css-whatlt2.1.3

References

github.com/fb55/css-what

github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js#23L12

github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12

github.com/fb55/css-what/commit/dc510929790da6617e7aa93a616498b22f6a6b72

lists.debian.org/debian-lts-announce/2023/03/msg00001.html

nvd.nist.gov/vuln/detail/CVE-2022-21222

security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.0%

Related for OSV:GHSA-P28H-CC7Q-C4FG

veracode1 prion1 redhatcve1 nvd1 debiancve1 github1 cvelist1 ubuntucve1 osv3 cve1 nessus2 openvas2 debian1 ubuntu1 ibm1