Lucene search

K

GoogleOSV:GHSA-2VRF-HF26-JRP5

HistoryMar 30, 2023 - 6:30 a.m.

angular vulnerable to regular expression denial of service via the angular.copy() utility

2023-03-3006:30:26

Google

osv.dev

35

angular

redos

vulnerable

regular expression denial of service

utility function

package

software

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

57.9%

All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

References

github.com/angular/angular.js

lists.fedoraproject.org/archives/list/[email protected]/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ

lists.fedoraproject.org/archives/list/[email protected]/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K

nvd.nist.gov/vuln/detail/CVE-2023-26116

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321

security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044

stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

57.9%

Related for OSV:GHSA-2VRF-HF26-JRP5

veracode1 github1 nvd1 redhatcve1 prion1 cvelist1 ubuntucve1 cve1 debiancve1 osv1 nessus5 openvas2 fedora2 ibm9