CVE-2021-23362

Aliases:GHSA-43f8-2h32-f4cj
Advisory lineage Upstream: 0 Downstream: 26
Modified
Published: 23 Mar 2021, 16:20
Last modified:17 Sept 2024, 03:02

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
5.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.55% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected

Timeline

23 Mar 2021, 16:20
Published
Vulnerability first disclosed
17 Sept 2024, 03:02
Last Modified
Vulnerability information updated

Description

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

CVSS Metrics

  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.55% Percentile: 68%

Techniques & Countermeasures

  • CWE-1333Inefficient Regular Expression Complexity

    The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Systems

  • Npmhosted-git-info

    < 2.8.9 | ≥ 3.0.0, < 3.0.8

  • npmjshosted-git-info

    ≥ 2.0.0, < 2.8.9 | ≥ 3.0.0, < 3.0.8

  • siemenssinec_infrastructure_network_services

    < 1.0.1.1

References (10)