CVE-2021-27292 – nodejs-ua-parser-js: ReDoS via malicious User-Agent header
https://notcve.org/view.php?id=CVE-2021-27292
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. ua-parser-js versiones posteriores incluyendo a 0.7.14, corregido en 0.7.24, usa una expresión regular que es vulnerable a una denegación de servicio. Si un atacante envía un encabezado User-Agent malicioso, ua-parser-js se bloqueará al procesarlo durante un período de tiempo prolongado A regular expression denial of service (ReDoS) vulnerability was found in the npm library `ua-parser-js`. If a supplied user agent matches the `Noble` string and contains many spaces then the regex will conduct backtracking, taking an ever increasing amount of time depending on the number of spaces supplied. An attacker can use this vulnerability to potentially craft a malicious user agent resulting in a denial of service. • https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 https://access.redhat.com/security/cve/CVE-2021-27292 https://bugzilla.redhat.com/show_bug.cgi?id=1940613 • CWE-400: Uncontrolled Resource Consumption •
CVE-2020-7793 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-7793
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). El paquete ua-parser-js versiones anteriores a 0.7.23, es vulnerable a una Denegación de Servicio de Expresión Regular (ReDoS) en múltiples expresiones regulares (véase el commit vinculado para mayor información) • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387 https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599 •
CVE-2020-7733 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-7733
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA. El paquete ua-parser-js versiones anteriores a 0.7.22, es vulnerable a una Denegación de Servicio de Expresión Regular (ReDoS) por medio de la regex para Redmi Phones y Mi Pad Tablets UA A flaw was found in nodejs-ua-parser-js. The software is vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA. • https://github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557d https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665 https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226 https://www.oracle.com//security-alerts/cpujul2021.html https://access.redhat.com/security/cve/CVE-2020-7733 https://bugzilla.redhat.com/show_bug.cgi?id=1879733 • CWE-400: Uncontrolled Resource Consumption •