Описание
@adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.
A Regular Expression Denial of Service (ReDoS) vulnerability was found in Adobe's css-tools when parsing CSS. This issue occurs due to improper input validation and may allow an attacker to use a carefully crafted input string to cause a denial of service, especially when attempting to parse CSS.
Отчет
The Regular Expression Denial of Service (ReDoS) vulnerability in css-tools, triggered by improper input validation when parsing CSS, is considered of moderate severity. While it can lead to a denial of service by causing the application to become unresponsive, the impact is limited to scenarios where an attacker can provide crafted input. Additionally, the absence of evidence of active exploitation in the wild and contextual factors, such as the software's usage, contribute to the moderate severity rating.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 2 | css-tools | Not affected | ||
| Migration Toolkit for Applications 6 | mta/mta-ui-rhel9 | Will not fix | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-ui-rhel8 | Affected | ||
| Red Hat Ansible Automation Platform 2 | aap-cloud-ui-container | Affected | ||
| Red Hat Build of Keycloak | css-tools | Not affected | ||
| Red Hat build of OptaPlanner 8 | css-tools | Not affected | ||
| Red Hat Data Grid 8 | css-tools | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | css-tools | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/nmstate-console-plugin-rhel9 | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
@adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.
Adobe Systems Incorporated: CVE-2023-Improper Input Validation Denial of Service Vulnerability
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity
Уязвимость CSS-парсера для Node.js css-tools, связанная с недостаточной проверкой входных данных, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3