Описание
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service.
Note:
This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.
An Inefficient Regular Expression Complexity vulnerability was found in NodeJS Angular. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking, leading to denial of service.
Отчет
The vulnerability in the Angular package, has been categorized as having a moderate severity rather than being labeled as important due to several factors. While the regular expression used for splitting the value of the ng-srcset directive is susceptible to super-linear runtime caused by backtracking, the practical exploitation of this vulnerability requires a large, carefully-crafted input. This input, which triggers catastrophic backtracking and potential denial of service, would not be easily achievable in typical use cases. Additionally, the affected package, Angular 1.3.0, is already designated as End of Life (EOL) and is not receiving updates, limiting its relevance to current development practices. Red Hat Enterprise Linux is not affected as its not shipping the vulnerable code.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Red Hat Enterprise Linux 6 | firefox | Not affected | ||
| Red Hat Enterprise Linux 6 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 7 | firefox | Not affected | ||
| Red Hat Enterprise Linux 7 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 8 | firefox | Not affected | ||
| Red Hat Enterprise Linux 8 | firefox:flatpak/firefox | Not affected | ||
| Red Hat Enterprise Linux 8 | grafana | Not affected | ||
| Red Hat Enterprise Linux 8 | mozjs60 | Not affected | ||
| Red Hat Enterprise Linux 8 | thunderbird | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).
This affects versions of the package angular from 1.3.0. A regular exp ...
angular vulnerable to super-linear runtime due to backtracking
Уязвимость компонента ng-srcset среды проектирования приложений и платформы разработки одностраничных приложений Аngular, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3