CVE-2020-28500 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-28500
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Las versiones de Lodash anteriores a la 4.17.21 son vulnerables a la denegación de servicio por expresiones regulares (ReDoS) a través de las funciones toNumber, trim y trimEnd A flaw was found in nodejs-lodash. A Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions is possible. • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8 https://github.com/lodash/lodash/pull/5065 https://security.netapp.com/advisory/ntap-20210312-0006 https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM • CWE-400: Uncontrolled Resource Consumption •
CVE-2020-7793 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-7793
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). El paquete ua-parser-js versiones anteriores a 0.7.23, es vulnerable a una Denegación de Servicio de Expresión Regular (ReDoS) en múltiples expresiones regulares (véase el commit vinculado para mayor información) • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387 https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599 •
CVE-2020-28168
https://notcve.org/view.php?id=CVE-2020-28168
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. El paquete Axios NPM versión 0.21.0, contiene una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) donde un atacante es capaz de omitir un proxy al proporcionar una URL que responde con un redireccionamiento hacia un host restringido o una dirección IP • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/axios/axios/issues/3369 https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E • CWE-918: Server-Side Request Forgery (SSRF) •