GHSA-CMCX-XHR8-3W9P

Vulnerability from github – Published: 2020-02-20 23:26 – Updated: 2024-02-08 22:49
VLAI?
Summary
Denial of Service in uap-core when processing crafted User-Agent strings
Details

Impact

Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.

Patches

Please update uap-core to >= v0.7.3

Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.

Details

Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string.

Regex 1:

\bSmartWatch *\( *([^;]+) *; *([^;]+) *;

is vulnerable in portion *([^;]+) * and can be attacked with

"SmartWatch(" + (" " * 3500) + "z"

e.g.

SmartWatch(                                   z

Regex 2:

; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\)

is vulnerable in portion \d+[^\);]+[^\);]* and can be attacked with

";A Build HuaweiA" + ("4" * 3500) + "z"

Regex 3:

(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\)

is vulnerable in portion *([^;]*) * and can be attacked with

"HbbTV/0.0.0 (;LGE;" + (" " * 3500) + "z"

Regex 4:

(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;

is vulnerable in portions *(?:CUS:([^;]*)|([^;]+)) * and *([^;]*) * and can be attacked with

"HbbTV/0.0.0 (;CUS:;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;z;" + (" " * 3500) + "z"

Reported by Ben Caller @bcaller

Severity ?
5.7 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uap-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "user_agent_parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-20T23:09:32Z",
    "nvd_published_at": "2020-02-21T00:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nSome regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.\n\n### Patches\n\nPlease update uap-core to \u0026amp;amp;gt;= v0.7.3\n\nDownstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.\n\n### Details\n\nEach vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string.\n\n#### Regex 1:\n\n```\n\\bSmartWatch *\\( *([^;]+) *; *([^;]+) *;\n```\n\nis vulnerable in portion ` *([^;]+) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;SmartWatch(\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\ne.g.\n```\nSmartWatch(                                   z\n```\n\n\n#### Regex 2:\n\n```\n; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\\d+[^\\);]+)[^\\);]*\\)\n```\n\nis vulnerable in portion `\\d+[^\\);]+[^\\);]*` and can be attacked with\n\n```python\n\u0026amp;amp;quot;;A Build HuaweiA\u0026amp;amp;quot; + (\u0026amp;amp;quot;4\u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\n\n#### Regex 3:\n\n```\n(HbbTV)/[0-9]+\\.[0-9]+\\.[0-9]+ \\([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\\)\n```\n\nis vulnerable in portion ` *([^;]*) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;HbbTV/0.0.0 (;LGE;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\n#### Regex 4:\n\n```\n(HbbTV)/[0-9]+\\.[0-9]+\\.[0-9]+ \\([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;\n```\n\nis vulnerable in portions ` *(?:CUS:([^;]*)|([^;]+)) *` and ` *([^;]*) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;HbbTV/0.0.0 (;CUS:;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n\u0026amp;amp;quot;HbbTV/0.0.0 (;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n\u0026amp;amp;quot;HbbTV/0.0.0 (;z;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\nReported by Ben Caller @bcaller",
  "id": "GHSA-cmcx-xhr8-3w9p",
  "modified": "2024-02-08T22:49:51Z",
  "published": "2020-02-20T23:26:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/user_agent_parser/CVE-2020-5243.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in uap-core when processing crafted User-Agent strings"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.