Уязвимость DoS атаки и истощения памяти при компиляции регулярных выражений из недоверенных источников
Описание
Программы, которые компилируют регулярные выражения из недоверенных источников, уязвимы для DoS-атак или истощения памяти (memory exhaustion). Хотя представление разбора (парсинга) регулярных выражений линейно зависит от размера входных данных, в некоторых случаях коэффициент роста может достигать 40,000, что приводит к значительному потреблению памяти даже при относительно небольших выражениях.
Исправление
После исправления каждое парсируемое регулярное выражение ограничено мемориальным объемом в 256 МБ. Регулярные выражения, чье представление требует больше места, отвергаются. Нормальное использование регулярных выражений не затрагивается.
Тип уязвимости
- DoS атака
- Истощение памяти
Ссылки
- Patch
- Issue TrackingThird Party Advisory
- Mailing ListRelease Notes
- Vendor Advisory
- Patch
- Issue TrackingThird Party Advisory
- Mailing ListRelease Notes
- Vendor Advisory
Уязвимые конфигурации
Одно из
EPSS
7.5 High
CVSS3
Дефекты
Связанные уязвимости
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Programs which compile regular expressions from untrusted sources may ...
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
EPSS
7.5 High
CVSS3