Regular Expression Denial Of Service (ReDoS)

2022-08-2013:48:00

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

33.0%

JSON

schroot is vulnerable to regualr expression denial of service. The vulnerability exists in is_valid_sessionname in sbuild-util.cc because it doesn’t limit the allowed characters on schroot names properly which allows an attacker to perform a ReDoS attack.

CPENameOperatorVersion
schroot:sideq1.6.10-12
schroot:sideq1.6.10-11
schroot:bustereq1.6.10-6+b1
schroot:bullseyeeq1.6.10-11
schroot:bookwormeq1.6.10-12
schroot:bioniceq1.6.10-4build1
schroot:focaleq1.6.10-9build1
schroot:sideq1.6.10-12
schroot:sideq1.6.10-11
schroot:bustereq1.6.10-6+b1

Name	Operator	Version
schroot:sid	eq	1.6.10-12
schroot:sid	eq	1.6.10-11
schroot:buster	eq	1.6.10-6+b1
schroot:bullseye	eq	1.6.10-11
schroot:bookworm	eq	1.6.10-12
schroot:bionic	eq	1.6.10-4build1
schroot:focal	eq	1.6.10-9build1
schroot:sid	eq	1.6.10-12
schroot:sid	eq	1.6.10-11
schroot:buster	eq	1.6.10-6+b1