CVE-2020-26256

{"id": "CVE-2020-26256", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-12-08T22:15:17.540", "references": [{"url": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/C2FO/fast-csv/issues/540", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lgtm.com/query/8609731774537641779/", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/%40fast-csv/parse", "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/fast-csv", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/C2FO/fast-csv/issues/540", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lgtm.com/query/8609731774537641779/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.npmjs.com/package/%40fast-csv/parse", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.npmjs.com/package/fast-csv", "tags": ["Product", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable."}, {"lang": "es", "value": "Fast-csv es un paquete npm para analizar y formatear CSV o cualquier otro archivo de valor delimitado en node. En fast-cvs anterior a versi\u00f3n 4.3.6, se presenta una posible vulnerabilidad ReDoS (Denegaci\u00f3n de servicio de expresi\u00f3n regular) cuando se usa la opci\u00f3n ignoreEmpty al analizar. Esto ha sido parcheado en versi\u00f3n \"v4.3.6\" Solo se ver\u00e1 afectado por esto si utiliza la opci\u00f3n de an\u00e1lisis \"ignoreEmpty\". Si usa esta opci\u00f3n, se recomienda que actualice a la \u00faltima versi\u00f3n \"v4.3.6\". Esta vulnerabilidad se encontr\u00f3 usando una consulta CodeQL que identific\u00f3 la expresi\u00f3n regular \"EMPTY_ROW_REGEXP\" como vulnerable"}], "lastModified": "2024-11-21T05:19:40.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:c2fo:fast-csv:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "38FF4853-5265-411D-91CC-D0137CBE216E", "versionEndExcluding": "4.3.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}