CVE-2021-23364

Exploit

EPSS 2.43%
Veröffentlicht 28.04.2021 16:15:08
Zuletzt bearbeitet 21.11.2024 05:51:34
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Regular Expression Denial of Service (ReDoS)

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Browserslist Project ≫ Browserslist SwPlatformnode.js Version >= 4.0.0 < 4.16.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.43%	0.821

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474

Broken Link

https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98

Patch

Third Party Advisory

https://github.com/browserslist/browserslist/pull/593

Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182

Patch

Third Party Advisory

Exploit

https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194

Patch

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-23364

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-23364

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-23364

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-23364