Lucene search

GitHub_MVULNRICHMENT:CVE-2024-45813

HistorySep 18, 2024 - 4:47 p.m.

CVE-2024-45813 ReDoS vulnerability in multiparametric routes in find-my-way

2024-09-1816:47:57

CWE-1333

GitHub_M

github.com

find-my-way

redos vulnerability

multiparametric routes

denial of service

update

http router

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6.8

Confidence

High

EPSS

Percentile

16.4%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it’s framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a - at the end, like /:a-:b-. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.

References

blakeembrey.com/posts/2024-09-web-redos

github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440

github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6.8

Confidence

High

EPSS

Percentile

16.4%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-45813