Total
254 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-29167 | 1 Mozilla | 1 Hawk | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`. | |||||
CVE-2022-21195 | 1 Url-regex Project | 1 Url-regex | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
All versions of package url-regex are vulnerable to Regular Expression Denial of Service (ReDoS) which can cause the CPU usage to crash. | |||||
CVE-2021-40900 | 1 Regexfn Project | 1 Regexfn | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in regexfn v1.0.5 when validating crafted invalid emails. | |||||
CVE-2022-26650 | 1 Apache | 1 Shenyu | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. | |||||
CVE-2022-24713 | 3 Debian, Fedoraproject, Rust-lang | 3 Debian Linux, Fedora, Regex | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes. | |||||
CVE-2022-25844 | 3 Angularjs, Fedoraproject, Netapp | 3 Angular, Fedora, Ontap Select Deploy Administration Utility | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher. | |||||
CVE-2021-43307 | 1 Semver-regex Project | 1 Semver-regex | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method | |||||
CVE-2021-43308 | 1 Markdown-link-extractor Project | 1 Markdown-link-extractor | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the markdown-link-extractor npm package, when an attacker is able to supply arbitrary input to the module's exported function | |||||
CVE-2021-43306 | 1 Jqueryvalidation | 1 Jquery Validation | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method | |||||
CVE-2022-29169 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory. | |||||
CVE-2021-40898 | 1 Scaffold-helper Project | 1 Scaffold-helper | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scaffold-helper v1.2.0 when copying crafted invalid files. | |||||
CVE-2022-1929 | 1 Devcert Project | 1 Devcert | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method | |||||
CVE-2021-40892 | 1 Validate Color Project | 1 Validate Color | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings. | |||||
CVE-2021-46823 | 1 Python-ldap | 1 Python-ldap | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
python-ldap before 3.4.0 is vulnerable to a denial of service when ldap.schema is used for untrusted schema definitions, because of a regular expression denial of service (ReDoS) flaw in the LDAP schema parser. By sending crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. | |||||
CVE-2021-40660 | 1 Javadelight | 1 Nashorn Sandbox | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Delight Nashorn Sandbox 0.2.0. There is an ReDoS vulnerability that can be exploited to launching a denial of service (DoS) attack. | |||||
CVE-2021-40893 | 1 Validate Data Project | 1 Validate Data | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-data v0.1.1 when validating crafted invalid emails. | |||||
CVE-2021-40894 | 1 Underscore-99xp Project | 1 Underscore-99xp | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in underscore-99xp v1.7.2 when the deepValueSearch function is called. | |||||
CVE-2022-25598 | 1 Apache | 1 Dolphinscheduler | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | |||||
CVE-2021-40897 | 1 Split-html-to-chars Project | 1 Split-html-to-chars | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in split-html-to-chars v1.0.5 when splitting crafted invalid htmls. | |||||
CVE-2021-39940 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent. |