Lucene search

K

GitHub Advisory DatabaseGHSA-2QQX-W9HR-Q5GX

HistoryMar 30, 2023 - 6:30 a.m.

angular vulnerable to regular expression denial of service via the $resource service

2023-03-3006:30:26

CWE-1333

GitHub Advisory Database

github.com

42

angular

vulnerability

regular expression

denial of service

$resource service

software

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

57.9%

All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Affected configurations

Vulners

Node

angularangularRange≤1.8.3

References

github.com/advisories/GHSA-2qqx-w9hr-q5gx

lists.fedoraproject.org/archives/list/[email protected]/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/

lists.fedoraproject.org/archives/list/[email protected]/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/

nvd.nist.gov/vuln/detail/CVE-2023-26117

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324

security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045

stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

57.9%

Related for GHSA-2QQX-W9HR-Q5GX

cvelist1 redhatcve1 ubuntucve1 cve1 osv2 debiancve1 nessus5 veracode1 prion1 nvd1 openvas2 fedora2 ibm10