Vulnerabilities (CVE)

Filtered by CWE-1333
Total 254 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41115 1 Zulip 1 Zulip 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as _itself_ subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should [upgrade to the just-released Zulip 4.7](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-to-a-release), or [`main`](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-from-a-git-repository).
CVE-2021-41817 6 Debian, Fedoraproject, Opensuse and 3 more 9 Debian Linux, Fedora, Factory and 6 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
CVE-2021-3804 1 Taro 1 Taro 2024-02-28 7.8 HIGH 7.5 HIGH
taro is vulnerable to Inefficient Regular Expression Complexity
CVE-2021-43838 1 Jsx-slack Project 1 Jsx-slack 2024-02-28 5.0 MEDIUM 7.5 HIGH
jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into `<blockquote>` tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources. jsx-slack v4.5.1 has patched to a regex for escaping blockquote characters. Users are advised to upgrade as soon as possible.
CVE-2021-3803 2 Debian, Nth-check Project 2 Debian Linux, Nth-check 2024-02-28 5.0 MEDIUM 7.5 HIGH
nth-check is vulnerable to Inefficient Regular Expression Complexity
CVE-2021-3810 1 Coder 1 Code-server 2024-02-28 7.8 HIGH 7.5 HIGH
code-server is vulnerable to Inefficient Regular Expression Complexity
CVE-2021-23490 1 Parse-link-header Project 1 Parse-link-header 2024-02-28 5.0 MEDIUM 7.5 HIGH
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
CVE-2021-3807 2 Ansi-regex Project, Oracle 2 Ansi-regex, Communications Cloud Native Core Policy 2024-02-28 7.8 HIGH 7.5 HIGH
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
CVE-2022-21681 2 Fedoraproject, Marked Project 2 Fedora, Marked 2024-02-28 5.0 MEDIUM 7.5 HIGH
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
CVE-2021-3765 1 Validator Project 1 Validator 2024-02-28 5.0 MEDIUM 7.5 HIGH
validator.js is vulnerable to Inefficient Regular Expression Complexity
CVE-2021-3842 3 Debian, Fedoraproject, Nltk 3 Debian Linux, Fedora, Nltk 2024-02-28 5.0 MEDIUM 7.5 HIGH
nltk is vulnerable to Inefficient Regular Expression Complexity
CVE-2022-21670 1 Markdown-it Project 1 Markdown-it 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.
CVE-2021-39933 1 Gitlab 1 Gitlab 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack.
CVE-2021-23446 1 Handsontable 1 Handsontable 2024-02-28 5.0 MEDIUM 7.5 HIGH
The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function.
CVE-2021-45470 1 Circl 1 Cve-search 2024-02-28 5.0 MEDIUM 7.5 HIGH
lib/DatabaseLayer.py in cve-search before 4.1.0 allows regular expression injection, which can lead to ReDoS (regular expression denial of service) or other impacts.
CVE-2021-3795 1 Semver-regex Project 1 Semver-regex 2024-02-28 5.0 MEDIUM 7.5 HIGH
semver-regex is vulnerable to Inefficient Regular Expression Complexity
CVE-2022-21680 2 Fedoraproject, Marked Project 2 Fedora, Marked 2024-02-28 5.0 MEDIUM 7.5 HIGH
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
CVE-2021-43805 1 Nebulab 1 Solidus 2024-02-28 5.0 MEDIUM 7.5 HIGH
Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like `a.a.` Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression. The maintainers added a check for email addresses that are no longer valid that will print information about any affected orders that exist. If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file `config/application.rb` manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity.
CVE-2021-33502 1 Normalize-url Project 1 Normalize-url 2024-02-28 5.0 MEDIUM 7.5 HIGH
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
CVE-2021-23382 1 Postcss 1 Postcss 2024-02-28 5.0 MEDIUM 7.5 HIGH
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).