CVE-2023-26118

2023-03-3005:00:02

snyk

www.cve.org

vulnerability

angular package

redos

regular expression

input functionality

exploiting

catastrophic backtracking

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P

0.002 Low

EPSS

Percentile

59.4%

JSON

Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type=“url”> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

CNA Affected

[
  {
    "product": "angular",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "*",
        "status": "affected",
        "version": "1.4.9",
        "versionType": "semver"
      }
    ]
  },
  {
    "product": "org.webjars.bower:angular",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "*",
        "status": "affected",
        "version": "1.4.9",
        "versionType": "semver"
      }
    ]
  },
  {
    "product": "org.webjars.npm:angular",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "*",
        "status": "affected",
        "version": "1.4.9",
        "versionType": "semver"
      }
    ]
  },
  {
    "product": "org.webjars.bowergithub.angular:angular",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "*",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]