CVE-2023-32758 – git-url-parse

Package

Manager: pip
Name: git-url-parse
Vulnerable Version: >=0 <=1.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00156 pctl0.36921

Details

git-url-parse Regular Expression Denial of Service giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.

Metadata

Created: 2023-05-15T06:30:19Z
Modified: 2023-06-06T18:45:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-4xqq-73wg-5mjp/GHSA-4xqq-73wg-5mjp.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-4xqq-73wg-5mjp
Finding: F211
Auto approve: 1