CVE-2021-23382

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-23382

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23382.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-23382

Aliases

GHSA-566m-qj78-rww5
SNYK-JAVA-ORGWEBJARSNPM-1255641
SNYK-JS-POSTCSS-1255640

Related

UBUNTU-CVE-2021-23382

Published

2021-04-26T16:15:07Z

Modified

2024-10-12T06:59:10.519964Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/*\s* sourceMappingURL=(.*).

References

Affected packages

Debian:11 / node-postcss

Package

Name: node-postcss
Purl: pkg:deb/debian/node-postcss?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.2.1+~cs5.3.23-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-postcss

Package

Name: node-postcss
Purl: pkg:deb/debian/node-postcss?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.2.1+~cs5.3.23-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-postcss

Package

Name: node-postcss
Purl: pkg:deb/debian/node-postcss?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.2.1+~cs5.3.23-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/postcss/postcss

Affected ranges

Type: GIT
Repo: https://github.com/postcss/postcss
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2b1d04c867995e55124e0a165b7c6622c1735956

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

1.*

1.0.0

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.1.0

4.1.1

4.1.10

4.1.11

4.1.12

4.1.13

4.1.14

4.1.15

4.1.16

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

5.*

5.0.0

5.0.1

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.2

5.0.20

5.0.21

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.1

5.1.2

5.2.0

5.2.1

5.2.10

5.2.11

5.2.12

5.2.13

5.2.14

5.2.15

5.2.16

5.2.17

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

6.*

6.0.0

6.0.1

6.0.10

6.0.11

6.0.12

6.0.13

6.0.14

6.0.15

6.0.16

6.0.17

6.0.18

6.0.19

6.0.2

6.0.20

6.0.21

6.0.22

6.0.23

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.0.9

7.*

7.0.0

7.0.1

7.0.10

7.0.11

7.0.12

7.0.13

7.0.14

7.0.15

7.0.16

7.0.17

7.0.18

7.0.19

7.0.2

7.0.20

7.0.21

7.0.22

7.0.23

7.0.24

7.0.25

7.0.26

7.0.27

7.0.28

7.0.29

7.0.3

7.0.30

7.0.31

7.0.32

7.0.4

7.0.5

7.0.6

7.0.7

7.0.8

7.0.9

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.0.7

8.0.8

8.0.9

8.1.0

8.1.1

8.1.10

8.1.11

8.1.12

8.1.13

8.1.14

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.2.0

8.2.1

8.2.10

8.2.11

8.2.12

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.2.9