Search
Total
71 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23364 | 1 Browserslist Project | 1 Browserslist | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries. | |||||
| CVE-2021-23362 | 2 Npmjs, Siemens | 2 Hosted-git-info, Sinec Infrastructure Network Services | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. | |||||
| CVE-2021-26813 | 2 Fedoraproject, Markdown2 Project | 2 Fedora, Markdown2 | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time. | |||||
| CVE-2021-27291 | 3 Debian, Fedoraproject, Pygments | 3 Debian Linux, Fedora, Pygments | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. | |||||
| CVE-2021-39940 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent. | |||||
| CVE-2021-33502 | 1 Normalize-url Project | 1 Normalize-url | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. | |||||
| CVE-2021-23446 | 1 Handsontable | 1 Handsontable | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function. | |||||
| CVE-2022-25844 | 3 Angularjs, Fedoraproject, Netapp | 3 Angular, Fedora, Ontap Select Deploy Administration Utility | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher. | |||||
| CVE-2021-23490 | 1 Parse-link-header Project | 1 Parse-link-header | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function. | |||||
| CVE-2021-41817 | 6 Debian, Fedoraproject, Opensuse and 3 more | 9 Debian Linux, Fedora, Factory and 6 more | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | |||||
| CVE-2022-40897 | 1 Python | 1 Setuptools | 2023-08-08 | N/A | 5.9 MEDIUM |
| Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. | |||||
| CVE-2022-1510 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue has been discovered in GitLab affecting all versions starting from 13.9 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious text in the CI Editor and CI Pipeline details page allowing the attacker to cause uncontrolled resource consumption. | |||||
| CVE-2023-3994 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint. | |||||
| CVE-2023-3364 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint. | |||||
| CVE-2023-0632 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible by using crafted payloads to search Harbor Registry. | |||||
| CVE-2022-31781 | 1 Apache | 1 Tapestry | 2023-08-02 | N/A | 7.5 HIGH |
| Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor. | |||||
| CVE-2023-39174 | 1 Jetbrains | 1 Teamcity | 2023-08-01 | N/A | 7.5 HIGH |
| In JetBrains TeamCity before 2023.05.2 a ReDoS attack was possible via integration with issue trackers | |||||
| CVE-2023-36543 | 1 Apache | 1 Airflow | 2023-07-31 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected | |||||
| CVE-2021-3842 | 3 Debian, Fedoraproject, Nltk | 3 Debian Linux, Fedora, Nltk | 2022-01-12 | 5.0 MEDIUM | 7.5 HIGH |
| nltk is vulnerable to Inefficient Regular Expression Complexity | |||||
| CVE-2021-43843 | 1 Jsx-slack Project | 1 Jsx-slack | 2022-01-03 | 5.0 MEDIUM | 7.5 HIGH |
| jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters. | |||||
| CVE-2021-43805 | 1 Nebulab | 1 Solidus | 2021-12-08 | 5.0 MEDIUM | 7.5 HIGH |
| Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like `a.a.` Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression. The maintainers added a check for email addresses that are no longer valid that will print information about any affected orders that exist. If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file `config/application.rb` manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity. | |||||