CWE-1333
Inefficient Regular Expression Complexity
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
CVE-2019-25103 (GCVE-0-2019-25103)
Vulnerability from cvelistv5 – Published: 2023-02-12 14:31 – Updated: 2024-08-05 03:00
VLAI
Title
simple-markdown simple-markdown.js redos
Summary
A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file simple-markdown.js. The manipulation leads to inefficient regular expression complexity. The attack can be launched remotely. Upgrading to version 0.5.2 is able to address this issue. The patch is named 89797fef9abb4cab2fb76a335968266a92588816. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220639.
Severity
4.3 (Medium)
4.3 (Medium)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.220639 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.220639 | signaturepermissions-required |
| https://github.com/ariabuckles/simple-markdown/co… | patch |
| https://github.com/ariabuckles/simple-markdown/re… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | simple-markdown |
Affected:
0.5.1
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.220639"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.220639"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/ariabuckles/simple-markdown/commit/89797fef9abb4cab2fb76a335968266a92588816"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/ariabuckles/simple-markdown/releases/tag/0.5.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "simple-markdown",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.5.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file simple-markdown.js. The manipulation leads to inefficient regular expression complexity. The attack can be launched remotely. Upgrading to version 0.5.2 is able to address this issue. The patch is named 89797fef9abb4cab2fb76a335968266a92588816. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220639."
},
{
"lang": "de",
"value": "In simple-markdown 0.5.1 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei simple-markdown.js. Dank Manipulation mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Ein Aktualisieren auf die Version 0.5.2 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 89797fef9abb4cab2fb76a335968266a92588816 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T12:58:03.732Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.220639"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.220639"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ariabuckles/simple-markdown/commit/89797fef9abb4cab2fb76a335968266a92588816"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ariabuckles/simple-markdown/releases/tag/0.5.2"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-02-11T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-02-11T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-02-11T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-03-10T09:11:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "simple-markdown simple-markdown.js redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2019-25103",
"datePublished": "2023-02-12T14:31:03.261Z",
"dateReserved": "2023-02-11T10:33:28.609Z",
"dateUpdated": "2024-08-05T03:00:19.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1920 (GCVE-0-2020-1920)
Vulnerability from cvelistv5 – Published: 2021-06-01 11:45 – Updated: 2024-08-04 06:54
VLAI
Summary
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.
Severity
No CVSS data available.
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/facebook/react-native/releases… | x_refsource_CONFIRM |
| https://github.com/facebook/react-native/commit/c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| react-native |
Unaffected:
0.64.1 , < unspecified
(custom)
Affected: 0.59.0 , < unspecified (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:54:00.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/facebook/react-native/releases/tag/v0.64.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "react-native",
"vendor": "Facebook",
"versions": [
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "0.64.1",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.59.0",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2020-12-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:45:12.000Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/facebook/react-native/releases/tag/v0.64.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2020-12-11",
"ID": "CVE-2020-1920",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "react-native",
"version": {
"version_data": [
{
"version_affected": "!\u003e=",
"version_value": "0.64.1"
},
{
"version_affected": "\u003e=",
"version_value": "0.59.0"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333: Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/facebook/react-native/releases/tag/v0.64.1",
"refsource": "CONFIRM",
"url": "https://github.com/facebook/react-native/releases/tag/v0.64.1"
},
{
"name": "https://github.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7",
"refsource": "MISC",
"url": "https://github.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2020-1920",
"datePublished": "2021-06-01T11:45:12.000Z",
"dateReserved": "2019-12-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T06:54:00.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26303 (GCVE-0-2020-26303)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:59
VLAI
Title
GHSL-2020-289: Regular Expression Denial of Service (ReDoS) in insane
Summary
insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bevacqua:insane:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "insane",
"vendor": "bevacqua",
"versions": [
{
"lessThanOrEqual": "2.6.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26303",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:57:34.239141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:59:29.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "insane",
"repo": "https://github.com/bevacqua/insane",
"vendor": "bevacqua",
"versions": [
{
"lessThanOrEqual": "2.6.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "insane is a\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhitelist-oriented HTML sanitizer. Versions 2.6.2 and prior\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:09.544Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-289-redos-insane/"
},
{
"url": "https://github.com/bevacqua/insane/issues/19"
}
],
"source": {
"advisory": "GHSL-2020-289",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-289: Regular Expression Denial of Service (ReDoS) in insane",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26303",
"datePublished": "2024-10-26T20:26:09.544Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:59:29.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26304 (GCVE-0-2020-26304)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:56
VLAI
Title
GHSL-2020-290: Regular Expression Denial of Service (ReDoS) in foundation-sites
Summary
Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| foundation | foundation-sites |
Affected:
0 , ≤ 6.6.3
(custom)
|
|
| foundation | foundation-sites |
Affected:
0 , ≤ 6.6.3
(custom)
cpe:2.3:a:foundation:foundation-sites:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:foundation:foundation-sites:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "foundation-sites",
"vendor": "foundation",
"versions": [
{
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26304",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:53:41.246174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:56:44.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "foundation-sites",
"repo": "https://github.com/foundation/foundation-sites",
"vendor": "foundation",
"versions": [
{
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFoundation is a front-end framework. Versions 6.3.3 and prior\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:12.868Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-290-redos-foundation-sites/"
},
{
"url": "https://github.com/foundation/foundation-sites/issues/12180"
}
],
"source": {
"advisory": "GHSL-2020-290",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-290: Regular Expression Denial of Service (ReDoS) in foundation-sites",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26304",
"datePublished": "2024-10-26T20:26:12.868Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:56:44.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26305 (GCVE-0-2020-26305)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:52
VLAI
Title
GHSL-2020-291: Regular Expression Denial of Service (ReDoS) in CommonRegexJS
Summary
CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| talyssonoc | CommonRegexJS |
Affected:
0
(custom)
|
|
| talyssonoc | commonregexjs |
Affected:
0 , < *
(custom)
cpe:2.3:a:talyssonoc:commonregexjs:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:talyssonoc:commonregexjs:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "commonregexjs",
"vendor": "talyssonoc",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26305",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:51:09.906696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:52:45.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CommonRegexJS",
"repo": "https://github.com/talyssonoc/CommonRegexJS",
"vendor": "talyssonoc",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCommonRegexJS is a CommonRegex port for JavaScript. All available versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:16.039Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-291-redos-CommonRegexJS/"
},
{
"url": "https://github.com/talyssonoc/CommonRegexJS/issues/4"
}
],
"source": {
"advisory": "GHSL-2020-291",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-291: Regular Expression Denial of Service (ReDoS) in CommonRegexJS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26305",
"datePublished": "2024-10-26T20:26:16.039Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:52:45.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26306 (GCVE-0-2020-26306)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:50
VLAI
Title
GHSL-2020-296: Regular Expression Denial of Service (ReDoS) in Knwl.js
Summary
Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:benhmoore:knwl:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "knwl",
"vendor": "benhmoore",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26306",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:49:13.075631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:50:27.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Knwl",
"repo": "https://github.com/benhmoore/Knwl",
"vendor": "benhmoore",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eKnwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more\u003c/span\u003e. Versions 1.0.2 and prior\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:19.170Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-296-redos-Knwl.js/"
},
{
"url": "https://github.com/benhmoore/Knwl/issues/106"
}
],
"source": {
"advisory": "GHSL-2020-296",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-296: Regular Expression Denial of Service (ReDoS) in Knwl.js",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26306",
"datePublished": "2024-10-26T20:26:19.170Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:50:27.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26307 (GCVE-0-2020-26307)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:48
VLAI
Title
GHSL-2020-301: Regular Expression Denial of Service (ReDoS) in HTML2Markdown
Summary
HTML2Markdown is a Javascript implementation for converting HTML to Markdown text. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| kates | html2markdown |
Affected:
0 , ≤ 1.0.2
(custom)
|
|
| kates | html2markdown |
Affected:
0 , ≤ 1.0.2
(custom)
cpe:2.3:a:kates:html2markdown:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kates:html2markdown:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "html2markdown",
"vendor": "kates",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26307",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:46:42.789614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:48:11.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "html2markdown",
"repo": "https://github.com/kates/html2markdown",
"vendor": "kates",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHTML2Markdown is a\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eJavascript implementation for converting HTML to Markdown text.\u003c/span\u003e\u003c/span\u003e\u0026nbsp;All available versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HTML2Markdown is a Javascript implementation for converting HTML to Markdown text. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:22.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-301-redos-HTML2Markdown/"
},
{
"url": "https://github.com/kates/html2markdown/issues/13"
}
],
"source": {
"advisory": "GHSL-2020-301",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-301: Regular Expression Denial of Service (ReDoS) in HTML2Markdown",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26307",
"datePublished": "2024-10-26T20:26:22.379Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:48:11.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26308 (GCVE-0-2020-26308)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:45
VLAI
Title
GHSL-2020-302: Regular Expression Denial of Service (ReDoS) in validate.js
Summary
Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ansman | validate.js |
Affected:
0 , ≤ 0.13.1
(custom)
|
|
| ansman | validate.js |
Affected:
0 , ≤ 0.13.1
(custom)
cpe:2.3:a:ansman:validate.js:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ansman:validate.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "validate.js",
"vendor": "ansman",
"versions": [
{
"lessThanOrEqual": "0.13.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26308",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:42:29.968019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:45:43.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "validate.js",
"repo": "https://github.com/ansman/validate.js",
"vendor": "ansman",
"versions": [
{
"lessThanOrEqual": "0.13.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eValidate.js provides a declarative way of validating javascript objects.\u003c/span\u003e Versions 0.13.1 and prior\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:25.628Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-302-redos-validate.js/"
},
{
"url": "https://github.com/ansman/validate.js/issues/342"
}
],
"source": {
"advisory": "GHSL-2020-302",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-302: Regular Expression Denial of Service (ReDoS) in validate.js",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26308",
"datePublished": "2024-10-26T20:26:25.628Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:45:43.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26309 (GCVE-0-2020-26309)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:18
VLAI
Title
GHSL-2020-303: Regular Expression Denial of Service (ReDoS) in nope-validator
Summary
Validate.js provides a declarative way of validating javascript objects. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ftonato | nope-validator |
Affected:
0 , ≤ 0.11.3
(custom)
|
|
| ftonato | nope-validator |
Affected:
0 , ≤ 0.11.3
(custom)
cpe:2.3:a:ftonato:nope-validator:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ftonato:nope-validator:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "nope-validator",
"vendor": "ftonato",
"versions": [
{
"lessThanOrEqual": "0.11.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26309",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:16:00.043101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:18:10.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "nope-validator",
"repo": "https://github.com/ftonato/nope-validator",
"vendor": "ftonato",
"versions": [
{
"lessThanOrEqual": "0.11.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eValidate.js provides a declarative way of validating javascript objects.\u003c/span\u003e Versions 0.11.3 and prior\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Validate.js provides a declarative way of validating javascript objects. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:28.746Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-303-redos-nope-validator/"
},
{
"url": "https://github.com/ftonato/nope-validator/issues/352"
}
],
"source": {
"advisory": "GHSL-2020-303",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-303: Regular Expression Denial of Service (ReDoS) in nope-validator",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26309",
"datePublished": "2024-10-26T20:26:28.746Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:18:10.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26310 (GCVE-0-2020-26310)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:15
VLAI
Title
GHSL-2020-305: Regular Expression Denial of Service (ReDoS) in Pure JavaScript HTML5 Parser
Summary
Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| blowsie | Pure-JavaScript-HTML5-Parser |
Affected:
0
(custom)
|
|
| blowsie | pure_javascript_html5_parser |
Affected:
0 , < *
(custom)
cpe:2.3:a:blowsie:pure_javascript_html5_parser:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:blowsie:pure_javascript_html5_parser:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pure_javascript_html5_parser",
"vendor": "blowsie",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26310",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T13:46:12.270000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:15:10.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pure-JavaScript-HTML5-Parser",
"repo": "https://github.com/blowsie/Pure-JavaScript-HTML5-Parser",
"vendor": "blowsie",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eValidate.js provides a declarative way of validating javascript objects.\u003c/span\u003e All versions as of 30 November 2020\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:31.905Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-305-redos-Pure-JavaScript-HTML5-Parser/"
},
{
"url": "https://github.com/blowsie/Pure-JavaScript-HTML5-Parser/issues/14"
}
],
"source": {
"advisory": "GHSL-2020-305",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-305: Regular Expression Denial of Service (ReDoS) in Pure JavaScript HTML5 Parser",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26310",
"datePublished": "2024-10-26T20:26:31.905Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:15:10.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Phase: System Configuration
Description:
- Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Phase: Implementation
Description:
- Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Phase: Implementation
Description:
- Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.