CVE-2023-32758

EPSS 1.03%
Veröffentlicht 15.05.2023 04:15:10
Zuletzt bearbeitet 23.01.2025 20:15:30
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Coala ≫ Git-url-parse Version <= 1.2.2

Semgrep ≫ Semgrep Version <= 1.21.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.03%	0.593

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53

Product

https://github.com/returntocorp/semgrep/pull/7611

Patch

Issue Tracking

https://github.com/returntocorp/semgrep/pull/7943

https://github.com/returntocorp/semgrep/pull/7955

https://pypi.org/project/git-url-parse

Product

https://nvd.nist.gov/vuln/detail/CVE-2023-32758

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32758

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32758

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-32758