Описание
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
A flaw was found in the websocket-extensions ruby module in versions prior to 0.1.5. The parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and another character. When abused by an attacker, a Regex denial of service on a single-threaded server could occur. The highest threat from this vulnerability is to system availability.
Отчет
Red Hat CloudForms 4.7 (CFME 5.10) is in the maintenance phase and we will not be fixing Medium/Low impact security bugs. Reference: https://access.redhat.com/support/policy/updates/cloudforms Red Hat Satellite 6 ships affected RubyGem Websocket-extensions, however, product is not vulnerable to the flaw. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | cfme-gemset | Out of support scope | ||
| Red Hat Satellite 6.8 for RHEL 7 | ansible-collection-redhat-satellite | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | ansiblerole-foreman_scap_client | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | ansiblerole-insights-client | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | ansiblerole-satellite-receptor-installer | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | ansible-runner | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | candlepin | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | createrepo_c | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | foreman | Fixed | RHSA-2020:4366 | 27.10.2020 |
| Red Hat Satellite 6.8 for RHEL 7 | foreman-bootloaders-redhat | Fixed | RHSA-2020:4366 | 27.10.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
websocket-extensions ruby module prior to 0.1.5 allows Denial of Servi ...
EPSS
7.5 High
CVSS3