Описание
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large regexps with deep nesting to the application. Triggering this flaw leads to a crash of the runtime, which causes a denial of service.
Отчет
This flaw has been rated as a Moderate impact flaw because the exploitation of this flaw requires that an affected application accept arbitrarily long regexps from untrusted sources, which has inherent risks (even without this flaw), especially involving impacts to application availability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | cpma | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-velero-rhel8 | Affected | ||
| OpenShift Serverless | knative-eventing | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-grafana | Will not fix | ||
| Red Hat Ceph Storage 2 | golang | Out of support scope | ||
| Red Hat Ceph Storage 2 | grafana | Out of support scope | ||
| Red Hat Ceph Storage 3 | golang | Out of support scope | ||
| Red Hat Ceph Storage 3 | golang-github-prometheus-node_exporter | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows st ...
EPSS
7.5 High
CVSS3