Описание
insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
A flaw was found in the insane package, a whitelist-oriented HTML sanitizer. Affected versions of this package contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).
Отчет
The ReDoS vulnerability in insane is categorized as an important severity issue rather than critical due to the specific conditions required for exploitation and the nature of the impact. ReDoS attacks exploit inefficient regular expressions that cause excessive backtracking, potentially slowing down or freezing an application under targeted input patterns. However, they do not typically allow code execution or unauthorized access to sensitive data, which would elevate it to a critical severity. Logging Subsystem for Red Hat OpenShiftdoes not impacted & unaffected by this specific CVE because it is used only in custom notification banners, which are not enabled for use in OpenShift Logging's Kibana.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
insane vulnerable to Regular Expression Denial of Service
EPSS
7.5 High
CVSS3