Total
254 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-3749 | 3 Axios, Oracle, Siemens | 3 Axios, Goldengate, Sinec Ins | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
axios is vulnerable to Inefficient Regular Expression Complexity | |||||
CVE-2021-23364 | 1 Browserslist Project | 1 Browserslist | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries. | |||||
CVE-2021-28092 | 1 Is-svg Project | 1 Is-svg | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time. | |||||
CVE-2021-27291 | 3 Debian, Fedoraproject, Pygments | 3 Debian Linux, Fedora, Pygments | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. | |||||
CVE-2021-23362 | 2 Npmjs, Siemens | 2 Hosted-git-info, Sinec Infrastructure Network Services | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. | |||||
CVE-2021-26813 | 2 Fedoraproject, Markdown2 Project | 2 Fedora, Markdown2 | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time. | |||||
CVE-2021-23354 | 1 Adaltas | 1 Printf | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity. | |||||
CVE-2021-21317 | 1 Uap-core Project | 1 Uap-core | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes. | |||||
CVE-2021-25292 | 1 Python | 1 Pillow | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. | |||||
CVE-2020-5243 | 1 Uap-core Project | 1 Uap-core | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3. | |||||
CVE-2019-16215 | 1 Zulip | 1 Zulip Server | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages. | |||||
CVE-2019-12041 | 1 Remarkable Project | 1 Remarkable | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section. | |||||
CVE-2017-16021 | 1 Garycourt | 1 Uri-js | 2024-02-28 | 6.8 MEDIUM | 6.5 MEDIUM |
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier. | |||||
CVE-2015-8854 | 2 Fedoraproject, Marked Project | 2 Fedora, Marked | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)." |