admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#3181

Browse Source 
Auto-merge PR#3181
This commit is contained in:
CVE Team 2020-02-03 22:05:20 -05:00 committed by GitHub
commit c848f6010b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 77 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
2020/5xxx/CVE-2020-5236.json
View File

@ -1,18 +1,88 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5236",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Catastrophic backtracking in regex allows Denial of Service in Waitress"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Waitress",
"version": {
"version_data": [
{
"version_value": "= 1.4.2"
}
]
}
}
]
},
"vendor_name": "Pylons"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. \nWhen a header like \"Bad-header: xxxxxxxxxxxxxxx\\x10\" is received, it will cause the regular expression engine to \ncatastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions.\nThis allows an attacker to send a single request with an invalid header and take the service offline.\n\nThis issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230.\n\nThe regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc",
"refsource": "CONFIRM",
"url": "https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc"
},
{
"name": "https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f",
"refsource": "MISC",
"url": "https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f"
}
]
},
"source": {
"advisory": "GHSA-73m2-3pwg-5fgc",
"discovery": "UNKNOWN"
}
}
}