logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-5243 uap-core

Package

Manager: npm
Name: uap-core
Vulnerable Version: >=0 <0.7.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00805 pctl0.73258

Details

Denial of Service in uap-core when processing crafted User-Agent strings ### Impact Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. ### Patches Please update uap-core to &amp;amp;gt;= v0.7.3 Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes. ### Details Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string. #### Regex 1: ``` \bSmartWatch *\( *([^;]+) *; *([^;]+) *; ``` is vulnerable in portion ` *([^;]+) *` and can be attacked with ```python &amp;amp;quot;SmartWatch(&amp;amp;quot; + (&amp;amp;quot; &amp;amp;quot; * 3500) + &amp;amp;quot;z&amp;amp;quot; ``` e.g. ``` SmartWatch( z ``` #### Regex 2: ``` ; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\) ``` is vulnerable in portion `\d+[^\);]+[^\);]*` and can be attacked with ```python &amp;amp;quot;;A Build HuaweiA&amp;amp;quot; + (&amp;amp;quot;4&amp;amp;quot; * 3500) + &amp;amp;quot;z&amp;amp;quot; ``` #### Regex 3: ``` (HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\) ``` is vulnerable in portion ` *([^;]*) *` and can be attacked with ```python &amp;amp;quot;HbbTV/0.0.0 (;LGE;&amp;amp;quot; + (&amp;amp;quot; &amp;amp;quot; * 3500) + &amp;amp;quot;z&amp;amp;quot; ``` #### Regex 4: ``` (HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*; ``` is vulnerable in portions ` *(?:CUS:([^;]*)|([^;]+)) *` and ` *([^;]*) *` and can be attacked with ```python &amp;amp;quot;HbbTV/0.0.0 (;CUS:;&amp;amp;quot; + (&amp;amp;quot; &amp;amp;quot; * 3500) + &amp;amp;quot;z&amp;amp;quot; &amp;amp;quot;HbbTV/0.0.0 (;&amp;amp;quot; + (&amp;amp;quot; &amp;amp;quot; * 3500) + &amp;amp;quot;z&amp;amp;quot; &amp;amp;quot;HbbTV/0.0.0 (;z;&amp;amp;quot; + (&amp;amp;quot; &amp;amp;quot; * 3500) + &amp;amp;quot;z&amp;amp;quot; ``` Reported by Ben Caller @bcaller

Metadata

Created: 2020-02-20T23:26:10Z
Modified: 2024-02-08T22:49:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cmcx-xhr8-3w9p/GHSA-cmcx-xhr8-3w9p.json
CWE IDs: ["CWE-1333", "CWE-20"]
Alternative ID: GHSA-cmcx-xhr8-3w9p
Finding: F211
Auto approve: 1