CVE-2021-33587

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/fb55/css-what/releases/tag/v5.0.1	Patch Release Notes Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html
https://security.netapp.com/advisory/ntap-20210706-0007/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:css-what_project:css-what:4.0.0:::::node.js::
	cpe:2.3:a:css-what_project:css-what:5.0.0:::::node.js::

Configuration 2 (hide)

cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-05-28 20:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-33587

Mitre link : CVE-2021-33587

CVE.ORG link : CVE-2021-33587

JSON object : View

Products Affected

netapp

e-series_performance_analyzer

css-what_project

css-what

CWE

NVD-CWE-noinfo

{"id": "CVE-2021-33587", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-05-28T20:15:07.733", "references": [{"url": "https://github.com/fb55/css-what/releases/tag/v5.0.1", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20210706-0007/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input."}, {"lang": "es", "value": "El paquete css-what versi\u00f3n 4.0.0 hasta la versi\u00f3n 5.0.0 para Node.js no asegura que el an\u00e1lisis sint\u00e1ctico de atributos tenga una complejidad de tiempo lineal en relaci\u00f3n con el tama\u00f1o de la entrada"}], "lastModified": "2023-03-03T13:15:10.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:css-what_project:css-what:4.0.0:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5BEE51B0-F2BB-43D6-AF8D-17D94E599014"}, {"criteria": "cpe:2.3:a:css-what_project:css-what:5.0.0:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E2F67046-07B3-4FC4-9B28-ED197CF16A25"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24B8DB06-590A-4008-B0AB-FCD1401C77C6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}