Описание
Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.
A flaw was found in Useragent package, a user agent parser for Node.js. Affected versions of this package contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).
Отчет
The ReDoS vulnerability in the useragent library is considered an important severity rather than critical because it primarily affects application availability, not confidentiality or integrity. This vulnerability occurs when inefficient regular expressions lead to excessive backtracking under specific input patterns, potentially causing the application to slow down or become unresponsive. However, ReDoS attacks do not allow an attacker to execute arbitrary code, escalate privileges, or access sensitive data directly. Logging Subsystem for Red Hat OpenShiftdoes not impacted & unaffected by this specific CVE because it is used only in the development environment. Red Hat Quay 3 does not impacted & unaffected by this specific CVE because its not using node to parse user requests.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.
useragent Regular Expression Denial of Service vulnerability
7.5 High
CVSS3