Total
214 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-48631 | 1 Adobe | 1 Css-tools | 2023-12-18 | N/A | 7.5 HIGH |
| @adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS. | |||||
| CVE-2022-44572 | 1 Rack Project | 1 Rack | 2023-12-08 | N/A | 7.5 HIGH |
| A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. | |||||
| CVE-2022-44571 | 1 Rack Project | 1 Rack | 2023-12-08 | N/A | 7.5 HIGH |
| There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. | |||||
| CVE-2022-44570 | 1 Rack Project | 1 Rack | 2023-12-08 | N/A | 7.5 HIGH |
| A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. | |||||
| CVE-2023-46402 | 1 Git-urls Project | 1 Git-urls | 2023-11-28 | N/A | 7.5 HIGH |
| git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in urls.go. | |||||
| CVE-2023-45806 | 1 Discourse | 1 Discourse | 2023-11-17 | N/A | 5.4 MEDIUM |
| Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts they've been quoted by updating their full name again. Version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches contain a patch for this issue. No known workaround exists, although one can stop the "bleeding" by ensuring users only use alphanumeric characters in their full name field. | |||||
| CVE-2023-39619 | 1 Teomantuncer | 1 Node Email Check | 2023-11-07 | N/A | 7.5 HIGH |
| ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component. | |||||
| CVE-2023-26118 | 2 Angularjs, Fedoraproject | 2 Angular, Fedora | 2023-11-07 | N/A | 5.3 MEDIUM |
| Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. | |||||
| CVE-2023-26117 | 2 Angularjs, Fedoraproject | 2 Angular, Fedora | 2023-11-07 | N/A | 5.3 MEDIUM |
| Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. | |||||
| CVE-2023-26116 | 2 Angularjs, Fedoraproject | 2 Angular, Fedora | 2023-11-07 | N/A | 5.3 MEDIUM |
| Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. | |||||
| CVE-2023-26115 | 1 Word-wrap Project | 1 Word-wrap | 2023-11-07 | N/A | 7.5 HIGH |
| All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable. | |||||
| CVE-2023-26112 | 1 Configobj Project | 1 Configobj | 2023-11-07 | N/A | 5.9 MEDIUM |
| All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. | |||||
| CVE-2023-26103 | 1 Deno | 1 Deno | 2023-11-07 | N/A | 7.5 HIGH |
| Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. | |||||
| CVE-2023-23925 | 1 Switcherapi | 1 Switcher Client | 2023-11-07 | N/A | 7.5 HIGH |
| Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround, avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations. | |||||
| CVE-2023-1894 | 1 Puppet | 2 Puppet Enterprise, Puppet Server | 2023-11-07 | N/A | 5.3 MEDIUM |
| A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations. | |||||
| CVE-2022-40897 | 1 Python | 1 Setuptools | 2023-11-07 | N/A | 5.9 MEDIUM |
| Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. | |||||
| CVE-2022-3517 | 3 Debian, Fedoraproject, Minimatch Project | 3 Debian Linux, Fedora, Minimatch | 2023-11-07 | N/A | 7.5 HIGH |
| A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. | |||||
| CVE-2022-37603 | 1 Webpack.js | 1 Loader-utils | 2023-11-07 | N/A | 7.5 HIGH |
| A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. | |||||
| CVE-2022-34749 | 2 Fedoraproject, Mistune Project | 2 Fedora, Mistune | 2023-11-07 | N/A | 7.5 HIGH |
| In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking. | |||||
| CVE-2022-31129 | 3 Debian, Fedoraproject, Momentjs | 3 Debian Linux, Fedora, Moment | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input. | |||||