Search criteria
1 vulnerability by validatejs
CVE-2020-26308 (GCVE-0-2020-26308)
Vulnerability from cvelistv5 – Published: 2024-10-26 20:26 – Updated: 2024-10-28 14:45
VLAI
Title
GHSL-2020-302: Regular Expression Denial of Service (ReDoS) in validate.js
Summary
Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ansman | validate.js |
Affected:
0 , ≤ 0.13.1
(custom)
|
|
| ansman | validate.js |
Affected:
0 , ≤ 0.13.1
(custom)
cpe:2.3:a:ansman:validate.js:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ansman:validate.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "validate.js",
"vendor": "ansman",
"versions": [
{
"lessThanOrEqual": "0.13.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-26308",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:42:29.968019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:45:43.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "validate.js",
"repo": "https://github.com/ansman/validate.js",
"vendor": "ansman",
"versions": [
{
"lessThanOrEqual": "0.13.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eValidate.js provides a declarative way of validating javascript objects.\u003c/span\u003e Versions 0.13.1 and prior\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econtain one or more regular expressions that are vulnerable to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRegular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-26T20:26:25.628Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2020-302-redos-validate.js/"
},
{
"url": "https://github.com/ansman/validate.js/issues/342"
}
],
"source": {
"advisory": "GHSL-2020-302",
"discovery": "UNKNOWN"
},
"title": "GHSL-2020-302: Regular Expression Denial of Service (ReDoS) in validate.js",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26308",
"datePublished": "2024-10-26T20:26:25.628Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-10-28T14:45:43.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}