Lucene search

AmazonALAS2-2023-2188

HistoryAug 03, 2023 - 6:10 p.m.

Low: python-configobj

2023-08-0318:10:00

alas.aws.amazon.com

python

configobj

redos

regular expression denial of service

cve-2023-26112

amazon linux 2

update

red hat

mitre

unix

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

50.0%

JSON

Issue Overview:

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. (CVE-2023-26112)

Affected Packages:

python-configobj

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python-configobj to update your system.

New Packages:

noarch:  
    python-configobj-4.7.2-7.amzn2.0.1.noarch  
  
src:  
    python-configobj-4.7.2-7.amzn2.0.1.src

Additional References

Red Hat: CVE-2023-26112

Mitre: CVE-2023-26112

OSVersionArchitecturePackageVersionFilename
Amazon Linux2noarchpython-configobj< 4.7.2-7.amzn2.0.1python-configobj-4.7.2-7.amzn2.0.1.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	noarch	python-configobj	< 4.7.2-7.amzn2.0.1	python-configobj-4.7.2-7.amzn2.0.1.noarch.rpm

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

50.0%

JSON

Related for ALAS2-2023-2188