CVE-2020-26289
Regular expression Denial of Service in date-and-time
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2.
date-and-time es un paquete npm para manipular la fecha y la hora. En date-and-time versión anterior a 0.14.2, se presenta una expresión regular involucrada en el análisis que puede ser explotada para causar una denegación de servicio. Esto es corregido en la versión 0.14.2
A flaw was found in nodejs-date-and-time. In date-and-time there a regular expression involved in parsing which can be exploited to cause a denial of service.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-10-01 CVE Reserved
- 2020-12-28 CVE Published
- 2024-08-04 CVE Updated
- 2024-11-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g | Third Party Advisory | |
| https://www.npmjs.com/package/date-and-time | Product |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a | 2020-12-30 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2020-26289 | 2021-05-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1911627 | 2021-05-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Date-and-time Project Search vendor "Date-and-time Project" | Date-and-time Search vendor "Date-and-time Project" for product "Date-and-time" | < 0.14.2 Search vendor "Date-and-time Project" for product "Date-and-time" and version " < 0.14.2" | node.js |
Affected
| ||||||