GoogleOSV:GHSA-WQXW-8H5G-HQ56Switcher Client contains Regular Expression Denial of Service (ReDoS)
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
0.001 Low
EPSS
Percentile
37.9%
Impact
Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).
Patches
Patched in 3.1.4
Workarounds
Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.
| CPE | Name | Operator | Version |
|---|---|---|---|
| switcher-client | lt | 3.1.4 |
References
github.com/switcherapi/switcher-client-master
github.com/switcherapi/switcher-client-master/commit/374752563d6ce9353ee592b40c809c8136f24930
github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4
github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wqxw-8h5g-hq56
nvd.nist.gov/vuln/detail/CVE-2023-23925
Related
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
0.001 Low
EPSS
Percentile
37.9%