Ubuntu.comUB:CVE-2022-24713CVE-2022-24713
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
72.2%
regex is an implementation of regular expressions for the Rust language.
The regex crate features built-in mitigations to prevent denial of service
attacks caused by untrusted regexes, or untrusted input matched by trusted
regexes. Those (tunable) mitigations already provide sane defaults to
prevent attacks. This guarantee is documented and it’s considered part of
the crate’s API. Unfortunately a bug was discovered in the mitigations
designed to prevent untrusted regexes to take an arbitrary amount of time
during parsing, and it’s possible to craft regexes that bypass such
mitigations. This makes it possible to perform denial of service attacks by
sending specially crafted regexes to services accepting user-controlled,
untrusted regexes. All versions of the regex crate before or equal to 1.5.4
are affected by this issue. The fix is include starting from regex 1.5.5.
All users accepting user-controlled regexes are recommended to upgrade
immediately to the latest version of the regex crate. Unfortunately there
is no fixed set of problematic regexes, as there are practically infinite
regexes that could be crafted to exploit this vulnerability. Because of
this, it us not recommend to deny known problematic regexes.
Bugs
Notes
| Author | Note |
|---|---|
| eslerm | adding thunderbird per mfsa2022-15 |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | firefox | < 99.0+build2-0ubuntu0.18.04.2 | UNKNOWN |
| ubuntu | 20.04 | noarch | firefox | < 99.0+build2-0ubuntu0.20.04.2 | UNKNOWN |
| ubuntu | 21.10 | noarch | firefox | < 99.0+build2-0ubuntu0.21.10.2 | UNKNOWN |
| ubuntu | 22.04 | noarch | firefox | < 1:1snap1-0ubuntu1 | UNKNOWN |
| ubuntu | 22.10 | noarch | firefox | < 1:1snap1-0ubuntu1 | UNKNOWN |
| ubuntu | 23.04 | noarch | firefox | < 1:1snap1-0ubuntu1 | UNKNOWN |
| ubuntu | 20.04 | noarch | rust-regex | < 1.2.1-3ubuntu0.1 | UNKNOWN |
| ubuntu | 22.04 | noarch | rust-regex | < 1.5.4-1ubuntu0.1 | UNKNOWN |
| ubuntu | 18.04 | noarch | thunderbird | < 1:91.8.1+build1-0ubuntu0.18.04.1 | UNKNOWN |
| ubuntu | 20.04 | noarch | thunderbird | < 1:91.8.1+build1-0ubuntu0.20.04.1 | UNKNOWN |
References
github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
launchpad.net/bugs/cve/CVE-2022-24713
nvd.nist.gov/vuln/detail/CVE-2022-24713
rustsec.org/advisories/RUSTSEC-2022-0013.html
security-tracker.debian.org/tracker/CVE-2022-24713
ubuntu.com/security/notices/USN-5370-1
ubuntu.com/security/notices/USN-5610-1
www.cve.org/CVERecord?id=CVE-2022-24713
www.mozilla.org/en-US/security/advisories/mfsa2022-15/
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
72.2%