7.5

CVE-2022-26650

Apache ShenYu (incubating) Regular expression denial of service

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheShenyu Version2.4.0
ApacheShenyu Version2.4.1
ApacheShenyu Version2.4.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.43% 0.821
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

http://www.openwall.com/lists/oss-security/2022/05/17/3
Patch
Third Party Advisory
Mailing List
https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673
Vendor Advisory
Mailing List