GHSA-832h-xg76-4gv6

Опубликовано: 29 янв. 2018

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

ReDoS in brace-expansion

Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.

Proof of Concept

var expand = require('brace-expansion'); expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation

Update to version 1.1.7 or later.

Ссылки

Пакеты

Наименование

brace-expansion

npm

Затронутые версииВерсия исправления

< 1.1.7

1.1.7

EPSS

Процентиль: 66%

0.0052

Низкий

7.5 High

CVSS3

CVE ID

CVE-2017-18077

Дефекты

CWE-1333

Связанные уязвимости

CVE-2017-18077

CVSS3: 7.5

ubuntu

около 8 лет назад

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

CVE-2017-18077

CVSS3: 5.3

redhat

почти 9 лет назад

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

CVE-2017-18077

CVSS3: 7.5

nvd

около 8 лет назад

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

CVE-2017-18077

CVSS3: 7.5

debian

около 8 лет назад

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expr ...

EPSS

Процентиль: 66%

0.0052

Низкий

7.5 High

CVSS3

CVE ID

CVE-2017-18077

Дефекты

CWE-1333