GHSA-wqxw-8h5g-hq56

Опубликовано: 02 фев. 2023

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Switcher Client contains Regular Expression Denial of Service (ReDoS)

Impact

Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

Patches

Patched in 3.1.4

Workarounds

Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

Ссылки

Пакеты

Наименование

switcher-client

npm

Затронутые версииВерсия исправления

< 3.1.4

3.1.4

EPSS

Процентиль: 63%

0.00446

Низкий

7.5 High

CVSS3

CVE ID

CVE-2023-23925

Дефекты

CWE-1333

CWE-400

Связанные уязвимости

CVE-2023-23925

CVSS3: 8.6

nvd

около 3 лет назад

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround, avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

EPSS

Процентиль: 63%

0.00446

Низкий

7.5 High

CVSS3

CVE ID

CVE-2023-23925

Дефекты

CWE-1333

CWE-400