Lucene search

K

GoogleOSV:GHSA-C33W-24P9-8M24

HistoryApr 03, 2023 - 6:30 a.m.

configobj ReDoS exploitable by developer using values in a server-side configuration file

2023-04-0306:30:19

Google

osv.dev

12

configobj

redos

vulnerability

validate function

server-side configuration

software

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.0%

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.*)). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

References

github.com/DiffSK/configobj

github.com/DiffSK/configobj/issues/232

lists.fedoraproject.org/archives/list/[email protected]/message/6BO4RLMYEJODCNUE3DJIIUUFVTPAG6VN

lists.fedoraproject.org/archives/list/[email protected]/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK

lists.fedoraproject.org/archives/list/[email protected]/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK

nvd.nist.gov/vuln/detail/CVE-2023-26112

security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.0%

Related for OSV:GHSA-C33W-24P9-8M24

openvas16 prion1 nessus24 cvelist1 osv2 freebsd2 veracode1 cve1 fedora3 github1 ibm1 redos1 redhatcve1 nvd1 debiancve1 ubuntucve1 amazon1