CVE-2021-27290

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

References

Affected packages

Git / github.com/graalvm/graalvm-ce-builds

Affected ranges

Type

GIT

Repo

https://github.com/graalvm/graalvm-ce-builds

Events

Introduced

Last affected

55ff3f2503007a859219b5e7f68b0f6ca95225f0

Introduced

Last affected

771d7a8d2b73cf72a2622ca6305dcc9e9306f296

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "20.3.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "21.2.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/npm/ssri

Events

Introduced

0fb45e7e0eba615bf0080bf350c95e19412ff9a9

Fixed

b7c8c7c61db89aeb9fbf7596c0ef17071bc216ef

Introduced

9c76e0cf1079a314880078ddfa1dd2b241ba4133

Fixed

3eec7a375a8c7664d4e33c212058313c6fb43c57

Database specific

{
    "versions": [
        {
            "introduced": "5.2.2"
        },
        {
            "fixed": "6.0.2"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "8.0.1"
        }
    ]
}

Affected versions

v5.*

v5.2.2

v5.2.3

v5.2.4

v5.3.0

v6.*

v6.0.0

v6.0.1

v7.*

v7.0.0

v7.0.1

v7.1.0

v8.*

v8.0.0

vm-19.*

vm-19.3.2

vm-19.3.2-pre

vm-19.3.3

vm-19.3.4

vm-19.3.5

vm-19.3.6

vm-20.*

vm-20.0.1

vm-20.1.0

vm-20.2.0

vm-20.3.0

vm-20.3.1

vm-20.3.1.2

vm-20.3.2

vm-20.3.3

vm-21.*

vm-21.0.0

vm-21.0.0.2

vm-21.1.0

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "1.0.1.1"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-27290.json"