Total
214 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33289 | 1 Urlnorm Project | 1 Urlnorm | 2023-06-28 | N/A | 7.5 HIGH |
| The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs. | |||||
| CVE-2023-33290 | 1 Git-url-parse Project | 1 Git-url-parse | 2023-06-21 | N/A | 7.5 HIGH |
| The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758 (Python). | |||||
| CVE-2021-32837 | 1 Mechanize Project | 1 Mechanize | 2023-06-20 | N/A | 7.5 HIGH |
| mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue. | |||||
| CVE-2023-30608 | 2 Debian, Sqlparse Project | 2 Debian Linux, Sqlparse | 2023-06-14 | N/A | 7.5 HIGH |
| sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-2199 | 1 Gitlab | 1 Gitlab | 2023-06-14 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. | |||||
| CVE-2023-2198 | 1 Gitlab | 1 Gitlab | 2023-06-14 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. | |||||
| CVE-2023-2132 | 1 Gitlab | 1 Gitlab | 2023-06-13 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint. | |||||
| CVE-2023-32758 | 2 Coala, Semgrep | 2 Git-url-parse, Semgrep | 2023-06-09 | N/A | 7.5 HIGH |
| giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package. | |||||
| CVE-2023-33950 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2023-05-31 | N/A | 7.5 HIGH |
| Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs. | |||||
| CVE-2022-23548 | 1 Discourse | 1 Discourse | 2023-05-16 | N/A | 6.5 MEDIUM |
| Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds. | |||||
| CVE-2023-30858 | 1 Denosaurs | 1 Emoji | 2023-05-08 | N/A | 7.5 HIGH |
| The Denosaurs emoji package provides emojis for dinosaurs. Starting in version 0.1.0 and prior to version 0.3.0, the reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. The issue has been patched in 0.3.0. As a workaround, avoid using the `replace`, `unemojify`, or `strip` functions. | |||||
| CVE-2023-27704 | 1 Voidtools | 1 Everything | 2023-04-19 | N/A | 5.5 MEDIUM |
| Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS). | |||||
| CVE-2021-32848 | 1 Octobox Project | 1 Octobox | 2023-03-01 | N/A | 7.5 HIGH |
| Octobox is software for managing GitHub notifications. Prior to pull request (PR) 2807, a user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability. This issue is fixed in PR 2807. | |||||
| CVE-2020-6817 | 1 Mozilla | 1 Bleach | 2023-02-28 | N/A | 7.5 HIGH |
| bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). | |||||
| CVE-2023-24807 | 1 Nodejs | 1 Undici | 2023-02-24 | N/A | 7.5 HIGH |
| Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. | |||||
| CVE-2023-25167 | 1 Discourse | 1 Discourse | 2023-02-18 | N/A | 5.7 MEDIUM |
| Discourse is an open source discussion platform. In affected versions a malicious user can cause a regular expression denial of service using a carefully crafted git URL. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-22799 | 1 Rubyonrails | 1 Globalid | 2023-02-16 | N/A | 7.5 HIGH |
| A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
| CVE-2023-25166 | 1 Hapi | 1 Formula | 2023-02-16 | N/A | 6.5 MEDIUM |
| formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-23621 | 1 Discourse | 1 Discourse | 2023-02-14 | N/A | 7.5 HIGH |
| Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, a malicious user can cause a regular expression denial of service using a carefully crafted user agent. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2021-35065 | 1 Gulpjs | 1 Glob-parent | 2023-01-23 | N/A | 7.5 HIGH |
| The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression. | |||||