Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:CVE-2024-4067
HistoryMay 14, 2024 - 3:42 p.m.

CVE-2024-4067

2024-05-1415:42:00
Google
osv.dev
7
cve-2024-4067
npm package
micromatch
regular expression denial of service
index.js
greedy matching
pattern matching
vulnerability
payload
backtracking
fix
application slowdown

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6.4

Confidence

High

JSON

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn’t find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won’t start backtracking the regular expression due to greedy matching.

Related

nvd 1
nessus 5
openvas 2
ibm 19
vulnrichment 1
ubuntucve 1
redhatcve 1
fedora 2
cvelist 1
veracode 1
github 1
cve 1
debiancve 1
cbl_mariner 1
osv 1
wolfi 1
redhat 1
nvd
nvd
CVE-2024-4067
2024-05-14 15:42:47
nessus
nessus
RHEL 6 : gjs (Unpatched Vulnerability)
2024-07-11 00:00:00
Fedora 40 : yarnpkg (2024-eef12396fc)
2024-07-13 00:00:00
Fedora 39 : pgadmin4 (2024-9820d9491f)
2024-07-13 00:00:00
openvas
openvas
Fedora: Security Advisory (FEDORA-2024-eef12396fc)
2024-08-06 00:00:00
Fedora: Security Advisory (FEDORA-2024-9820d9491f)
2024-08-06 00:00:00
ibm
ibm
Security Bulletin: IBM DataPower Gateway vulnerable to DoS due to Node.js micromatch module (CVE-2024-4067)
2024-09-03 14:18:08
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js micromatch
2024-07-29 21:51:41
Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js micromatch module denial of service vulnerability[ CVE-2024-4067]
2024-08-05 21:44:27
vulnrichment
vulnrichment
CVE-2024-4067 Regular Expression Denial of Service in micromatch
2024-05-13 10:04:42
ubuntucve
ubuntucve
CVE-2024-4067
2024-05-14 00:00:00
redhatcve
redhatcve
CVE-2024-4067
2024-05-15 12:25:41
fedora
fedora
[SECURITY] Fedora 40 Update: yarnpkg-1.22.22-2.fc40
2024-07-13 02:46:53
[SECURITY] Fedora 39 Update: pgadmin4-7.8-7.fc39
2024-07-13 02:42:18
cvelist
cvelist
CVE-2024-4067 Regular Expression Denial of Service in micromatch
2024-05-13 10:04:42
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2024-05-31 05:28:55
github
github
Regular Expression Denial of Service (ReDoS) in micromatch
2024-05-14 18:30:54
cve
cve
CVE-2024-4067
2024-05-14 15:42:47
debiancve
debiancve
CVE-2024-4067
2024-05-14 15:42:47
cbl_mariner
cbl_mariner
CVE-2024-4067 affecting package reaper for versions less than 3.1.1-9
2024-06-06 19:53:22
osv
osv
CGA-6q83-777j-gp5r
2024-08-24 15:19:56
wolfi
wolfi
CVE-2024-4067 vulnerabilities
2024-09-18 21:11:55
redhat
redhat
(RHSA-2024:6211) Important: Red Hat OpenShift Service Mesh Containers for 2.6.1 security update
2024-09-03 08:26:25

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6.4

Confidence

High

JSON
Related for OSV:CVE-2024-4067
nvd1nessus5openvas2ibm19vulnrichment1ubuntucve1redhatcve1fedora2cvelist1veracode1github1cve1debiancve1cbl_mariner1osv1wolfi1redhat1