Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2021-04454

Опубликовано: 03 июл. 2021
Источник: fstec
CVSS3: 7.5
CVSS2: 7.8
EPSS Низкий

Описание

Уязвимость библиотеки Addressable связана с неконтролируемым расходом ресурсов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании

Вендор

Сообщество свободного программного обеспечения
Novell Inc.
Red Hat Inc.
Addressable project

Наименование ПО

Debian GNU/Linux
SUSE OpenStack Cloud
SUSE OpenStack Cloud Crowbar
Red Hat Satellite
OpenShift Container Platform
Red Hat 3scale API Management Platform
Addressable

Версия ПО

9 (Debian GNU/Linux)
7 (SUSE OpenStack Cloud)
8 (SUSE OpenStack Cloud Crowbar)
6.0 (Red Hat Satellite)
10 (Debian GNU/Linux)
9 (SUSE OpenStack Cloud Crowbar)
4 (OpenShift Container Platform)
2 (Red Hat 3scale API Management Platform)
от 2.3.0 до 2.8.0 (Addressable)
11 (Debian GNU/Linux)

Тип ПО

Операционная система
Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

Сообщество свободного программного обеспечения Debian GNU/Linux 9
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Сообщество свободного программного обеспечения Debian GNU/Linux 11

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,5)

Возможные меры по устранению уязвимости

Обновление библиотеки Addressable до актуальной версии
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2021-32740
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2021-32740.html
Для Debian:
использование рекомендаций производителя: https://security-tracker.debian.org/tracker/CVE-2021-32740

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 75%
0.00891
Низкий

7.5 High

CVSS3

7.8 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2021-32740

CVSS3: 7.5
ubuntu
больше 4 лет назад

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

redhat логотип

CVE-2021-32740

CVSS3: 7.5
redhat
больше 4 лет назад

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

nvd логотип

CVE-2021-32740

CVSS3: 7.5
nvd
больше 4 лет назад

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

msrc логотип

CVE-2021-32740

CVSS3: 7.5
msrc
больше 4 лет назад

Regular Expression Denial of Service in Addressable templates

debian логотип

CVE-2021-32740

CVSS3: 7.5
debian
больше 4 лет назад

Addressable is an alternative implementation to the URI implementation ...

EPSS

Процентиль: 75%
0.00891
Низкий

7.5 High

CVSS3

7.8 High

CVSS2