Lucene search

K

GitHub Advisory DatabaseGHSA-P28H-CC7Q-C4FG

HistoryOct 01, 2022 - 12:00 a.m.

css-what vulnerable to ReDoS due to use of insecure regular expression

2022-10-0100:00:24

CWE-400

GitHub Advisory Database

github.com

9

vulnerable

redos

regular expression

index.js

parse function

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.0%

The package css-what before 2.1.3 is vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

Affected configurations

Vulners

Node

csswhatRange<2.1.3

CPENameOperatorVersion
css-whatlt2.1.3

References

github.com/advisories/GHSA-p28h-cc7q-c4fg

github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js#23L12

github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12

github.com/fb55/css-what/commit/dc510929790da6617e7aa93a616498b22f6a6b72

lists.debian.org/debian-lts-announce/2023/03/msg00001.html

nvd.nist.gov/vuln/detail/CVE-2022-21222

security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.0%

Related for GHSA-P28H-CC7Q-C4FG

veracode1 prion1 redhatcve1 nvd1 cvelist1 osv4 debiancve1 ubuntucve1 cve1 nessus2 openvas2 debian1 ubuntu1 ibm1