Lucene search

Veracode Vulnerability DatabaseVERACODE:48048

HistoryJul 12, 2024 - 6:56 a.m.

Regular Expression Denial Of Service (ReDoS)

2024-07-1206:56:22

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

wagtail

regular expression denial of service

parse_query_string

crafted queries

server resources

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

26.5%

JSON

Wagtail is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability is due to inefficient regular expression handling in the parse_query_string process for long query strings without spaces, allowing attackers to submit crafted queries that consume excessive server resources and potentially cause a crash.

References

github.com/advisories/GHSA-jmp3-39vp-fwg8

github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2

github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797

github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2

github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

26.5%

JSON

Related for VERACODE:48048