CVE-2024-21490

2024-02-1000:00:00

ubuntu.com

cve-2024-21490

package angular

regex vulnerability

ng-srcset directive

denial of service

eol

migration

@angular/core

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

20.3%

JSON

This affects versions of the package angular from 1.3.0. A regular
expression used to split the value of the ng-srcset directive is vulnerable
to super-linear runtime due to backtracking. With large carefully-crafted
input, this can result in catastrophic backtracking and cause a denial of
service. Note: This package is EOL and will not receive any updates to
address this issue. Users should migrate to
@angular/core.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchangular.js< anyUNKNOWN
ubuntu20.04noarchangular.js< anyUNKNOWN
ubuntu22.04noarchangular.js< anyUNKNOWN
ubuntu23.10noarchangular.js< anyUNKNOWN
ubuntu24.04noarchangular.js< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	angular.js	< any	UNKNOWN
ubuntu	20.04	noarch	angular.js	< any	UNKNOWN
ubuntu	22.04	noarch	angular.js	< any	UNKNOWN
ubuntu	23.10	noarch	angular.js	< any	UNKNOWN
ubuntu	24.04	noarch	angular.js	< any	UNKNOWN