Описание
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| knack | unfixed | package |
Примечания
https://github.com/microsoft/knack/issues/281
Negligible security impact; disputed as security issue upstream in context
of its use by Azure CLI
EPSS
Связанные уязвимости
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 1 of 2).
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.
Microsoft Knack ReDoS Vulnerability in the Introspection Module
EPSS