cvelistv5 - CVE-2021-32723

CVE-2021-32723 (GCVE-0-2021-32723)

Vulnerability from cvelistv5 – Published: 2021-06-28 19:15 – Updated: 2024-08-03 23:33

Summary

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/PrismJS/prism/security/advisor…	x_refsource_CONFIRM
	https://github.com/PrismJS/prism/pull/2688	x_refsource_MISC
	https://github.com/PrismJS/prism/pull/2774	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	PrismJS	prism	Affected: < 1.24

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:54.878Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/PrismJS/prism/pull/2688"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/PrismJS/prism/pull/2774"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "prism",
          "vendor": "PrismJS",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.24"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-07T14:42:13",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PrismJS/prism/pull/2688"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PrismJS/prism/pull/2774"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        }
      ],
      "source": {
        "advisory": "GHSA-gj77-59wh-66hg",
        "discovery": "UNKNOWN"
      },
      "title": "Regular Expression Denial of Service (ReDoS) in Prism",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32723",
          "STATE": "PUBLIC",
          "TITLE": "Regular Expression Denial of Service (ReDoS) in Prism"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "prism",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.24"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "PrismJS"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg",
              "refsource": "CONFIRM",
              "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg"
            },
            {
              "name": "https://github.com/PrismJS/prism/pull/2688",
              "refsource": "MISC",
              "url": "https://github.com/PrismJS/prism/pull/2688"
            },
            {
              "name": "https://github.com/PrismJS/prism/pull/2774",
              "refsource": "MISC",
              "url": "https://github.com/PrismJS/prism/pull/2774"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-gj77-59wh-66hg",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32723",
    "datePublished": "2021-06-28T19:15:15",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:33:54.878Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*\", \"versionEndExcluding\": \"1.24.0\", \"matchCriteriaId\": \"7E2F5A9C-1C99-4F59-9A07-2342B171C39C\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"21.1.4\", \"matchCriteriaId\": \"485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.\"}, {\"lang\": \"es\", \"value\": \"Prism es una biblioteca de resaltado de sintaxis. Algunos lenguajes anteriores a la versi\\u00f3n 1.24.0, son vulnerables a una Denegaci\\u00f3n de Servicio por Expresiones Regulares (ReDoS). Cuando Prism es usado para resaltar texto no confiable (dado por el usuario), un atacante puede dise\\u00f1ar una cadena que tardar\\u00e1 mucho tiempo en ser resaltada. Este problema ha sido corregido en Prism versi\\u00f3n v1.24. Como soluci\\u00f3n alternativa , no utilice ASCIIDoc o ERB para resaltar texto no confiable. Otros lenguajes no est\\u00e1n afectados y pueden ser usados para resaltar texto no confiable\"}]",
      "id": "CVE-2021-32723",
      "lastModified": "2024-11-21T06:07:36.180",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-06-28T20:15:07.857",
      "references": "[{\"url\": \"https://github.com/PrismJS/prism/pull/2688\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/PrismJS/prism/pull/2774\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/PrismJS/prism/pull/2688\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/PrismJS/prism/pull/2774\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-32723\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-06-28T20:15:07.857\",\"lastModified\":\"2024-11-21T06:07:36.180\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.\"},{\"lang\":\"es\",\"value\":\"Prism es una biblioteca de resaltado de sintaxis. Algunos lenguajes anteriores a la versi\u00f3n 1.24.0, son vulnerables a una Denegaci\u00f3n de Servicio por Expresiones Regulares (ReDoS). Cuando Prism es usado para resaltar texto no confiable (dado por el usuario), un atacante puede dise\u00f1ar una cadena que tardar\u00e1 mucho tiempo en ser resaltada. Este problema ha sido corregido en Prism versi\u00f3n v1.24. Como soluci\u00f3n alternativa , no utilice ASCIIDoc o ERB para resaltar texto no confiable. Otros lenguajes no est\u00e1n afectados y pueden ser usados para resaltar texto no confiable\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.24.0\",\"matchCriteriaId\":\"7E2F5A9C-1C99-4F59-9A07-2342B171C39C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"21.1.4\",\"matchCriteriaId\":\"485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E\"}]}]}],\"references\":[{\"url\":\"https://github.com/PrismJS/prism/pull/2688\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrismJS/prism/pull/2774\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrismJS/prism/pull/2688\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrismJS/prism/pull/2774\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2021-32723

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-32723

Aliases

CVE-2021-32723

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-32723",
    "description": "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.",
    "id": "GSD-2021-32723"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-32723"
      ],
      "details": "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.",
      "id": "GSD-2021-32723",
      "modified": "2023-12-13T01:23:08.700182Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32723",
        "STATE": "PUBLIC",
        "TITLE": "Regular Expression Denial of Service (ReDoS) in Prism"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "prism",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.24"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "PrismJS"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg",
            "refsource": "CONFIRM",
            "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg"
          },
          {
            "name": "https://github.com/PrismJS/prism/pull/2688",
            "refsource": "MISC",
            "url": "https://github.com/PrismJS/prism/pull/2688"
          },
          {
            "name": "https://github.com/PrismJS/prism/pull/2774",
            "refsource": "MISC",
            "url": "https://github.com/PrismJS/prism/pull/2774"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-gj77-59wh-66hg",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.24.0",
          "affected_versions": "All versions before 1.24.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2022-03-28",
          "description": "Prism is a syntax highlighting library. Some languages is vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.",
          "fixed_versions": [
            "1.24.0"
          ],
          "identifier": "CVE-2021-32723",
          "identifiers": [
            "CVE-2021-32723",
            "GHSA-gj77-59wh-66hg"
          ],
          "not_impacted": "All versions starting from 1.24.0",
          "package_slug": "npm/prismjs",
          "pubdate": "2021-06-28",
          "solution": "Upgrade to version 1.24.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32723"
          ],
          "uuid": "4ba4f58d-9ec6-4b88-a66f-ffcea23d68ca"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.24.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "21.1.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32723"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg"
            },
            {
              "name": "https://github.com/PrismJS/prism/pull/2688",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/PrismJS/prism/pull/2688"
            },
            {
              "name": "https://github.com/PrismJS/prism/pull/2774",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/PrismJS/prism/pull/2774"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-03-28T16:16Z",
      "publishedDate": "2021-06-28T20:15Z"
    }
  }
}

FKIE_CVE-2021-32723

Vulnerability from fkie_nvd - Published: 2021-06-28 20:15 - Updated: 2024-11-21 06:07

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/PrismJS/prism/pull/2688	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/PrismJS/prism/pull/2774	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg	Third Party Advisory
security-advisories@github.com	https://www.oracle.com/security-alerts/cpujan2022.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/PrismJS/prism/pull/2688	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/PrismJS/prism/pull/2774	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpujan2022.html	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	prismjs	prism	*
	oracle	application_express	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "7E2F5A9C-1C99-4F59-9A07-2342B171C39C",
              "versionEndExcluding": "1.24.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E",
              "versionEndExcluding": "21.1.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text."
    },
    {
      "lang": "es",
      "value": "Prism es una biblioteca de resaltado de sintaxis. Algunos lenguajes anteriores a la versi\u00f3n 1.24.0, son vulnerables a una Denegaci\u00f3n de Servicio por Expresiones Regulares (ReDoS). Cuando Prism es usado para resaltar texto no confiable (dado por el usuario), un atacante puede dise\u00f1ar una cadena que tardar\u00e1 mucho tiempo en ser resaltada. Este problema ha sido corregido en Prism versi\u00f3n v1.24. Como soluci\u00f3n alternativa , no utilice ASCIIDoc o ERB para resaltar texto no confiable. Otros lenguajes no est\u00e1n afectados y pueden ser usados para resaltar texto no confiable"
    }
  ],
  "id": "CVE-2021-32723",
  "lastModified": "2024-11-21T06:07:36.180",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-06-28T20:15:07.857",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrismJS/prism/pull/2688"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrismJS/prism/pull/2774"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrismJS/prism/pull/2688"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrismJS/prism/pull/2774"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2021-55173

Vulnerability from cnvd - Published: 2021-07-27

Title

Prism资源管理错误漏洞

Description

Prism是一个应用软件。是一种轻量级的，可扩展的语法突出显示工具。 Prism 1.24.0之前版本存在安全漏洞，该漏洞源于当Prism用于突出显示不受信任的文本时，攻击者可利用该漏洞精心制作一个字符串，需要非常非常长的时间来显示。

Severity

中

Patch Name

Prism资源管理错误漏洞的补丁

Patch Description

Prism是一个应用软件。是一种轻量级的，可扩展的语法突出显示工具。 Prism 1.24.0之前版本存在安全漏洞，该漏洞源于当Prism用于突出显示不受信任的文本时，攻击者可利用该漏洞精心制作一个字符串，需要非常非常长的时间来显示。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg

Reference

https://github.com/PrismJS/prism/pull/2688

Impacted products

Name
Prism Prism <1.24.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-32723"
    }
  },
  "description": "Prism\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u662f\u4e00\u79cd\u8f7b\u91cf\u7ea7\u7684\uff0c\u53ef\u6269\u5c55\u7684\u8bed\u6cd5\u7a81\u51fa\u663e\u793a\u5de5\u5177\u3002\n\nPrism 1.24.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53Prism\u7528\u4e8e\u7a81\u51fa\u663e\u793a\u4e0d\u53d7\u4fe1\u4efb\u7684\u6587\u672c\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7cbe\u5fc3\u5236\u4f5c\u4e00\u4e2a\u5b57\u7b26\u4e32\uff0c\u9700\u8981\u975e\u5e38\u975e\u5e38\u957f\u7684\u65f6\u95f4\u6765\u663e\u793a\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-55173",
  "openTime": "2021-07-27",
  "patchDescription": "Prism\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u662f\u4e00\u79cd\u8f7b\u91cf\u7ea7\u7684\uff0c\u53ef\u6269\u5c55\u7684\u8bed\u6cd5\u7a81\u51fa\u663e\u793a\u5de5\u5177\u3002\r\n\r\nPrism 1.24.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53Prism\u7528\u4e8e\u7a81\u51fa\u663e\u793a\u4e0d\u53d7\u4fe1\u4efb\u7684\u6587\u672c\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7cbe\u5fc3\u5236\u4f5c\u4e00\u4e2a\u5b57\u7b26\u4e32\uff0c\u9700\u8981\u975e\u5e38\u975e\u5e38\u957f\u7684\u65f6\u95f4\u6765\u663e\u793a\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Prism\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Prism Prism \u003c1.24.0"
  },
  "referenceLink": "https://github.com/PrismJS/prism/pull/2688",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-30",
  "title": "Prism\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

CERTFR-2022-AVI-050

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Oracle Database Server. Elles permettent à un attaquant de provoquer un déni de service, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Database Server	Java VM versions 12.1.0.2, 12.2.0.1, 19c et 21c
Oracle	Database Server	Core RDBMS versions 12.2.0.1 et 19c
Oracle	Database Server	Oracle Application Express (Prism) versions antérieures à 21.1.4
Oracle	Database Server	Oracle Application Express (CKEditor) versions antérieures à 21.1.4

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle cpujan2022 du 18 janvier 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Java VM versions 12.1.0.2, 12.2.0.1, 19c et 21c",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Core RDBMS versions 12.2.0.1 et 19c",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Application Express (Prism) versions ant\u00e9rieures \u00e0 21.1.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Application Express (CKEditor) versions ant\u00e9rieures \u00e0 21.1.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-21247",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21247"
    },
    {
      "name": "CVE-2021-32723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32723"
    },
    {
      "name": "CVE-2021-37695",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37695"
    },
    {
      "name": "CVE-2022-21393",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21393"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-050",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-01-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service,\nun contournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujan2022 du 18 janvier 2022",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html#AppendixDB"
    }
  ]
}

CERTFR-2022-AVI-050

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Database Server	Java VM versions 12.1.0.2, 12.2.0.1, 19c et 21c
Oracle	Database Server	Core RDBMS versions 12.2.0.1 et 19c
Oracle	Database Server	Oracle Application Express (Prism) versions antérieures à 21.1.4
Oracle	Database Server	Oracle Application Express (CKEditor) versions antérieures à 21.1.4

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle cpujan2022 du 18 janvier 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Java VM versions 12.1.0.2, 12.2.0.1, 19c et 21c",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Core RDBMS versions 12.2.0.1 et 19c",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Application Express (Prism) versions ant\u00e9rieures \u00e0 21.1.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Application Express (CKEditor) versions ant\u00e9rieures \u00e0 21.1.4",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-21247",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21247"
    },
    {
      "name": "CVE-2021-32723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32723"
    },
    {
      "name": "CVE-2021-37695",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37695"
    },
    {
      "name": "CVE-2022-21393",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21393"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-050",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-01-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service,\nun contournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujan2022 du 18 janvier 2022",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html#AppendixDB"
    }
  ]
}

GHSA-GJ77-59WH-66HG

Vulnerability from github – Published: 2021-06-28 18:33 – Updated: 2022-02-08 21:21

Summary

Regular Expression Denial of Service (ReDoS) in Prism

Details

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

ASCIIDoc
ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

PrismJS/prism#2774
PrismJS/prism#2688

Severity ?

7.4 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "prismjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-28T18:15:20Z",
    "nvd_published_at": "2021-06-28T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).\n\n### Impact\n\nWhen Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.\n\n- ASCIIDoc\n- ERB\n\nOther languages are __not__ affected and can be used to highlight untrusted text.\n\n### Patches\nThis problem has been fixed in Prism v1.24.\n\n### References\n\n- PrismJS/prism#2774\n- PrismJS/prism#2688\n",
  "id": "GHSA-gj77-59wh-66hg",
  "modified": "2022-02-08T21:21:38Z",
  "published": "2021-06-28T18:33:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32723"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PrismJS/prism/pull/2688"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PrismJS/prism/pull/2774"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PrismJS/prism/commit/d85e30da6755fdbe7f8559f8e75d122297167018"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PrismJS/prism"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service (ReDoS) in Prism"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-32723 (GCVE-0-2021-32723)

GSD-2021-32723

FKIE_CVE-2021-32723

CNVD-2021-55173

CERTFR-2022-AVI-050

Solution

CERTFR-2022-AVI-050

Solution

GHSA-GJ77-59WH-66HG

Impact

Patches

References

Tags

Sightings

Nomenclature