CVE-2022-24921
golang: regexp: stack exhaustion via a deeply nested expression
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
El archivo regexp.Compile en Go versiones anteriores a 1.16.15 y versiones 1.17.x anteriores a 1.17.8, permite un agotamiento de la pila por medio de una expresión profundamente anidada
A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large regexps with deep nesting to the application. Triggering this flaw leads to a crash of the runtime, which causes a denial of service.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-02-10 CVE Reserved
- 2022-03-05 CVE Published
- 2024-08-03 CVE Updated
- 2024-09-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-674: Uncontrolled Recursion
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf |
|
|
| https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk | Issue Tracking | |
| https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20220325-0010 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202208-02 | 2023-08-08 | |
| https://access.redhat.com/security/cve/CVE-2022-24921 | 2023-01-24 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2064857 | 2023-01-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.16.15 Search vendor "Golang" for product "Go" and version " < 1.16.15" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.17 < 1.17.8 Search vendor "Golang" for product "Go" and version " >= 1.17 < 1.17.8" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Astra Trident Search vendor "Netapp" for product "Astra Trident" | - | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||