Total
225 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-29169 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory. | |||||
CVE-2021-40898 | 1 Scaffold-helper Project | 1 Scaffold-helper | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scaffold-helper v1.2.0 when copying crafted invalid files. | |||||
CVE-2022-1929 | 1 Devcert Project | 1 Devcert | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method | |||||
CVE-2021-40892 | 1 Validate Color Project | 1 Validate Color | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings. | |||||
CVE-2021-46823 | 1 Python-ldap | 1 Python-ldap | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
python-ldap before 3.4.0 is vulnerable to a denial of service when ldap.schema is used for untrusted schema definitions, because of a regular expression denial of service (ReDoS) flaw in the LDAP schema parser. By sending crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. | |||||
CVE-2021-40660 | 1 Javadelight | 1 Nashorn Sandbox | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Delight Nashorn Sandbox 0.2.0. There is an ReDoS vulnerability that can be exploited to launching a denial of service (DoS) attack. | |||||
CVE-2021-40893 | 1 Validate Data Project | 1 Validate Data | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-data v0.1.1 when validating crafted invalid emails. | |||||
CVE-2021-40894 | 1 Underscore-99xp Project | 1 Underscore-99xp | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in underscore-99xp v1.7.2 when the deepValueSearch function is called. | |||||
CVE-2022-25598 | 1 Apache | 1 Dolphinscheduler | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | |||||
CVE-2021-40897 | 1 Split-html-to-chars Project | 1 Split-html-to-chars | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in split-html-to-chars v1.0.5 when splitting crafted invalid htmls. | |||||
CVE-2021-39940 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent. | |||||
CVE-2021-41115 | 1 Zulip | 1 Zulip | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as _itself_ subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should [upgrade to the just-released Zulip 4.7](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-to-a-release), or [`main`](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-from-a-git-repository). | |||||
CVE-2021-41817 | 6 Debian, Fedoraproject, Opensuse and 3 more | 9 Debian Linux, Fedora, Factory and 6 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | |||||
CVE-2021-3804 | 1 Taro | 1 Taro | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
taro is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2021-43838 | 1 Jsx-slack Project | 1 Jsx-slack | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into `<blockquote>` tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources. jsx-slack v4.5.1 has patched to a regex for escaping blockquote characters. Users are advised to upgrade as soon as possible. | |||||
CVE-2021-3803 | 2 Debian, Nth-check Project | 2 Debian Linux, Nth-check | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
nth-check is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2021-3810 | 1 Coder | 1 Code-server | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
code-server is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2021-23490 | 1 Parse-link-header Project | 1 Parse-link-header | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function. | |||||
CVE-2021-3807 | 2 Ansi-regex Project, Oracle | 2 Ansi-regex, Communications Cloud Native Core Policy | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
ansi-regex is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2022-21681 | 2 Fedoraproject, Marked Project | 2 Fedora, Marked | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources. |