CVE-2021-21267

Exploit

EPSS 0.87%
Published 19.03.2021 21:15:12
Last modified 21.11.2024 05:47:53
Source security-advisories@github.com
Teams watchlist Login
Open Login

Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS.

Affected products Warnungen 0 Metrics 4 CWE 2 References 7

Data is provided by the National Vulnerability Database (NVD)

Schema-inspector Project ≫ Schema-inspector SwPlatformnode.js Version < 2.0.0

Netapp ≫ E-series Performance Analyzer Version-

Netapp ≫ Oncommand Insight Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.87%	0.73

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8f

Third Party Advisory

Exploit

https://github.com/schema-inspector/schema-inspector/security/advisories/GHSA-f38p-c2gq-4pmr

Third Party Advisory

Exploit

https://security.netapp.com/advisory/ntap-20210528-0006/

Third Party Advisory

https://www.npmjs.com/package/schema-inspector

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-21267

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-21267

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-21267

EUVD