Total
256 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-2232 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 6.5 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix | |||||
CVE-2023-34104 | 1 Fast-xml-parser Project | 1 Fast-xml-parser | 2024-02-28 | N/A | 7.5 HIGH |
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the `processEntities: false` option. | |||||
CVE-2023-33950 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-02-28 | N/A | 7.5 HIGH |
Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs. | |||||
CVE-2023-28756 | 3 Debian, Fedoraproject, Ruby-lang | 4 Debian Linux, Fedora, Ruby and 1 more | 2024-02-28 | N/A | 5.3 MEDIUM |
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. | |||||
CVE-2023-1894 | 1 Puppet | 2 Puppet Enterprise, Puppet Server | 2024-02-28 | N/A | 5.3 MEDIUM |
A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations. | |||||
CVE-2023-2198 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 7.5 HIGH |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. | |||||
CVE-2022-25883 | 1 Npmjs | 1 Semver | 2024-02-28 | N/A | 7.5 HIGH |
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. | |||||
CVE-2023-27704 | 1 Voidtools | 1 Everything | 2024-02-28 | N/A | 5.5 MEDIUM |
Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS). | |||||
CVE-2023-30858 | 1 Denosaurs | 1 Emoji | 2024-02-28 | N/A | 7.5 HIGH |
The Denosaurs emoji package provides emojis for dinosaurs. Starting in version 0.1.0 and prior to version 0.3.0, the reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. The issue has been patched in 0.3.0. As a workaround, avoid using the `replace`, `unemojify`, or `strip` functions. | |||||
CVE-2023-26118 | 2 Angularjs, Fedoraproject | 2 Angular, Fedora | 2024-02-28 | N/A | 5.3 MEDIUM |
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. | |||||
CVE-2022-25881 | 1 Http-cache-semantics Project | 1 Http-cache-semantics | 2024-02-28 | N/A | 7.5 HIGH |
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. | |||||
CVE-2022-30122 | 2 Debian, Rack Project | 2 Debian Linux, Rack | 2024-02-28 | N/A | 7.5 HIGH |
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. | |||||
CVE-2022-44570 | 1 Rack Project | 1 Rack | 2024-02-28 | N/A | 7.5 HIGH |
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. | |||||
CVE-2023-23621 | 1 Discourse | 1 Discourse | 2024-02-28 | N/A | 7.5 HIGH |
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, a malicious user can cause a regular expression denial of service using a carefully crafted user agent. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
CVE-2023-22792 | 1 Rubyonrails | 1 Rails | 2024-02-28 | N/A | 7.5 HIGH |
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
CVE-2022-3514 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 5.3 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser. | |||||
CVE-2023-26103 | 1 Deno | 1 Deno | 2024-02-28 | N/A | 7.5 HIGH |
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. | |||||
CVE-2023-22795 | 3 Debian, Ruby-lang, Rubyonrails | 3 Debian Linux, Ruby, Rails | 2024-02-28 | N/A | 7.5 HIGH |
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
CVE-2021-32821 | 1 Mootools | 1 Mootools | 2024-02-28 | N/A | 7.5 HIGH |
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite common with e.g. jQuery CSS selectors. No patches are available for this issue. | |||||
CVE-2022-25927 | 1 Ua-parser-js Project | 1 Ua-parser-js | 2024-02-28 | N/A | 7.5 HIGH |
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function. |