CVE-2021-27290
Aliases:GHSA-vx3p-948g-6vhq
Advisory lineage Upstream: 0 Downstream: 27
Modified
Published: 12 Mar 2021, 21:47
Last modified:03 Aug 2024, 20:48
Vulnerability Summary
Overall Risk (default)
medium
40/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
2.46% LOW
2% probability -0.17%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected
Timeline
12 Mar 2021, 21:47
Published
Vulnerability first disclosed
03 Aug 2024, 20:48
Last Modified
Vulnerability information updated
Description
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 2.46%• Percentile: 86%
Affected Systems
- Npm•ssri
≥ 5.2.2, < 6.0.2 | ≥ 7.0.0, < 7.1.1 | ≥ 8.0.0, < 8.0.1
- oracle•graalvm
20.3.3 | 21.2.0
- siemens•sinec_infrastructure_network_services
< 1.0.1.1
- ssri_project•ssri
≥ 5.2.2, < 6.0.2 | ≥ 7.0.0, < 8.0.1
References (12)
- https://npmjs.com
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
- https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2021-27290
- https://github.com/npm/ssri/pull/20#issuecomment-842677644
- https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
- https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538
- https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1
- https://github.com/npm/ssri
- https://www.npmjs.com/package/ssri