CVE-2020-5243

Exploit

EPSS 0.81%
Veröffentlicht 21.02.2020 00:15:10
Zuletzt bearbeitet 21.11.2024 05:33:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Uap-core Project ≫ Uap-core SwPlatformnode.js Version < 0.7.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.81%	0.734

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1

Patch

https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2020-5243

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-5243

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-5243

EUVD