Lucene search

K

Veracode Vulnerability DatabaseVERACODE:47880

HistoryJul 03, 2024 - 6:03 a.m.

Regular Expression Denial Of Service (ReDoS)

2024-07-0306:03:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7

async

redos

vulnerability

software

parsing

whitespaces

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

async is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability is due to the autoinject function, which allows an attacker to slowdown parsing with crafted whitespaces, resulting in Regular Expression Denial of Service (ReDoS).

References

github.com/advisories/GHSA-x6xm-h7hm-7p9q

github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41

github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6

github.com/caolan/async/commit/5f756b4470d91778702cace5f5fce8060aeb7ad6

github.com/caolan/async/issues/1975

github.com/caolan/async/issues/1975#issuecomment-2204528153

github.com/caolan/async/pull/1980

github.com/zunak/CVE-2024-39249

github.com/zunak/CVE-2024-39249/issues/1

web.archive.org/web/20240710221213/https://github.com/zunak/CVE-2024-39249

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

Related for VERACODE:47880

redhatcve1 ubuntucve1 ibm4 cvelist1 nvd1 cve1 osv1 vulnrichment1