admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-30 18:04:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2021-21267 for GHSA-f38p-c2gq-4pmr

Browse Source
This commit is contained in:
Robert Schultheis 2021-03-19 14:24:36 -06:00
parent e675c2ed1d
commit 93dbc04d8f
No known key found for this signature in database
GPG Key ID: 348C4211B4D8BB40
1 changed files with 89 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
2021/21xxx/CVE-2021-21267.json
View File

@ -1,18 +1,101 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21267",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial-of-Service in npm schema-inspector"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "schema-inspector",
"version": {
"version_data": [
{
"version_value": "< 2.0.0"
}
]
}
}
]
},
"vendor_name": "schema-inspector"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/schema-inspector/schema-inspector/security/advisories/GHSA-f38p-c2gq-4pmr",
"refsource": "CONFIRM",
"url": "https://github.com/schema-inspector/schema-inspector/security/advisories/GHSA-f38p-c2gq-4pmr"
},
{
"name": "https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8f",
"refsource": "MISC",
"url": "https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8f"
},
{
"name": "https://www.npmjs.com/package/schema-inspector",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/schema-inspector"
}
]
},
"source": {
"advisory": "GHSA-f38p-c2gq-4pmr",
"discovery": "UNKNOWN"
}
}