Regular Expression Denial Of Service (ReDoS)

2019-10-1806:36:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

webrick is vulenrable to regex denial of service (ReDoS). An attacker is able to crash the application by submitting malicious strings within the Authorization header to the authentication module.

CPENameOperatorVersion
webrickle1.4.2
ruby2.5:eoaneq2.5.5-4ubuntu2
ruby2.5:bioniceq2.5.1-1ubuntu1
ruby2.3:xenialeq2.3.0-5ubuntu1
ruby:3.7eq2.4.6-r0
jruby:stretcheq1.7.26-1+deb9u1
rh-ruby25-rubyeq2.5.5__7.el7
rh-ruby25-rubyeq2.5.3__6.el7
rh-ruby25-rubyeq2.5.0__5.el7
rh-ruby26-rubyeq2.6.2__118.el7

Name	Operator	Version
webrick	le	1.4.2
ruby2.5:eoan	eq	2.5.5-4ubuntu2
ruby2.5:bionic	eq	2.5.1-1ubuntu1
ruby2.3:xenial	eq	2.3.0-5ubuntu1
ruby:3.7	eq	2.4.6-r0
jruby:stretch	eq	1.7.26-1+deb9u1
rh-ruby25-ruby	eq	2.5.5__7.el7
rh-ruby25-ruby	eq	2.5.3__6.el7
rh-ruby25-ruby	eq	2.5.0__5.el7
rh-ruby26-ruby	eq	2.6.2__118.el7