pysec - pysec-2022-176

pysec-2022-176

Vulnerability from pysec

Published

2022-03-30 10:15

Modified

2022-04-11 00:47

Details

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-dolphinscheduler",
        "purl": "pkg:pypi/apache-dolphinscheduler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.1.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25598",
    "GHSA-qg5x-66hp-cw5p"
  ],
  "details": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.",
  "id": "PYSEC-2022-176",
  "modified": "2022-04-11T00:47:23.902690Z",
  "published": "2022-03-30T10:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-qg5x-66hp-cw5p"
    }
  ]
}

cve-2022-25598

Vulnerability from cvelistv5

Published

2022-03-30 09:20

Modified

2024-08-03 04:42

Severity ?

Summary

Apache DolphinScheduler user registration is vulnerable to ReDoS attacks

References

▼	URL	Tags
	https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93	x_refsource_MISC

Impacted products

▼	Vendor	Product
	Apache Software Foundation	Apache DolphinScheduler

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:42:49.991Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache DolphinScheduler",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.0.5",
              "status": "affected",
              "version": "Apache DolphinScheduler",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Zheng Wang of HIT"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333 Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-12T10:06:42.168Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache DolphinScheduler user registration is vulnerable to ReDoS attacks",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-25598",
          "STATE": "PUBLIC",
          "TITLE": "Apache DolphinScheduler user registration is vulnerable to ReDoS attacks"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache DolphinScheduler",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache DolphinScheduler",
                            "version_value": "2.0.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was discovered by Zheng Wang of HIT"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "low"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1333 Inefficient Regular Expression Complexity"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-25598",
    "datePublished": "2022-03-30T09:20:12",
    "dateReserved": "2022-02-21T00:00:00",
    "dateUpdated": "2024-08-03T04:42:49.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

ghsa-qg5x-66hp-cw5p

Vulnerability from github

Published

2022-03-31 00:00

Modified

2022-04-05 18:52

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Uncontrolled Resource Consumption in Apache DolphinScheduler

Details

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks. Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.dolphinscheduler:dolphinscheduler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-dolphinscheduler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T15:38:43Z",
    "nvd_published_at": "2022-03-30T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks. Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.",
  "id": "GHSA-qg5x-66hp-cw5p",
  "modified": "2022-04-05T18:52:26Z",
  "published": "2022-03-31T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25598"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/dolphinscheduler"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2022-176.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in Apache DolphinScheduler"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2022-176

Vulnerability from pysec

cve-2022-25598

Vulnerability from cvelistv5

ghsa-qg5x-66hp-cw5p

Vulnerability from github

Tags

Sightings

Nomenclature