Total
254 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-41115 | 1 Zulip | 1 Zulip | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as _itself_ subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should [upgrade to the just-released Zulip 4.7](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-to-a-release), or [`main`](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-from-a-git-repository). | |||||
CVE-2021-41817 | 6 Debian, Fedoraproject, Opensuse and 3 more | 9 Debian Linux, Fedora, Factory and 6 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | |||||
CVE-2021-3804 | 1 Taro | 1 Taro | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
taro is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2021-43838 | 1 Jsx-slack Project | 1 Jsx-slack | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into `<blockquote>` tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources. jsx-slack v4.5.1 has patched to a regex for escaping blockquote characters. Users are advised to upgrade as soon as possible. | |||||
CVE-2021-3803 | 2 Debian, Nth-check Project | 2 Debian Linux, Nth-check | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
nth-check is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2021-3810 | 1 Coder | 1 Code-server | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
code-server is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2021-23490 | 1 Parse-link-header Project | 1 Parse-link-header | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function. | |||||
CVE-2021-3807 | 2 Ansi-regex Project, Oracle | 2 Ansi-regex, Communications Cloud Native Core Policy | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
ansi-regex is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2022-21681 | 2 Fedoraproject, Marked Project | 2 Fedora, Marked | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources. | |||||
CVE-2021-3765 | 1 Validator Project | 1 Validator | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
validator.js is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2021-3842 | 3 Debian, Fedoraproject, Nltk | 3 Debian Linux, Fedora, Nltk | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
nltk is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2022-21670 | 1 Markdown-it Project | 1 Markdown-it | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading. | |||||
CVE-2021-39933 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack. | |||||
CVE-2021-23446 | 1 Handsontable | 1 Handsontable | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function. | |||||
CVE-2021-45470 | 1 Circl | 1 Cve-search | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
lib/DatabaseLayer.py in cve-search before 4.1.0 allows regular expression injection, which can lead to ReDoS (regular expression denial of service) or other impacts. | |||||
CVE-2021-3795 | 1 Semver-regex Project | 1 Semver-regex | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
semver-regex is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2022-21680 | 2 Fedoraproject, Marked Project | 2 Fedora, Marked | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources. | |||||
CVE-2021-43805 | 1 Nebulab | 1 Solidus | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like `a.a.` Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression. The maintainers added a check for email addresses that are no longer valid that will print information about any affected orders that exist. If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file `config/application.rb` manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity. | |||||
CVE-2021-33502 | 1 Normalize-url Project | 1 Normalize-url | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. | |||||
CVE-2021-23382 | 1 Postcss | 1 Postcss | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*). |