Lucene search

Redhat.comRH:CVE-2024-41818

HistoryJul 31, 2024 - 8:19 a.m.

CVE-2024-41818

2024-07-3108:19:34

redhat.com

access.redhat.com

fast-xml-parser

javascript

xml parser

redos

currency.js

vulnerability

fixed version 4.4.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

21.9%

JSON

A regular expression denial of service (ReDoS) flaw was found in fast-xml-parser in the currency.js script. By sending a specially crafted regex input, a remote attacker could cause a denial of service condition.

References

bugzilla.redhat.com/show_bug.cgi?id=2300499

github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10

github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164

github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v

nvd.nist.gov/vuln/detail/CVE-2024-41818

www.cve.org/CVERecord?id=CVE-2024-41818

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

21.9%

JSON

Related for RH:CVE-2024-41818