GHSA-cmcx-xhr8-3w9p

Suggest an improvement
Source
https://github.com/advisories/GHSA-cmcx-xhr8-3w9p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cmcx-xhr8-3w9p/GHSA-cmcx-xhr8-3w9p.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cmcx-xhr8-3w9p
Aliases
Published
2020-02-20T23:26:10Z
Modified
2024-02-08T23:41:56.372068Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service in uap-core when processing crafted User-Agent strings
Details

Impact

Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.

Patches

Please update uap-core to >= v0.7.3

Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.

Details

Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string.

Regex 1:

\bSmartWatch *\( *([^;]+) *; *([^;]+) *;

is vulnerable in portion *([^;]+) * and can be attacked with

"SmartWatch(" + (" " * 3500) + "z"

e.g.

SmartWatch(                                   z

Regex 2:

; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\)

is vulnerable in portion \d+[^\);]+[^\);]* and can be attacked with

";A Build HuaweiA" + ("4" * 3500) + "z"

Regex 3:

(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\)

is vulnerable in portion *([^;]*) * and can be attacked with

"HbbTV/0.0.0 (;LGE;" + (" " * 3500) + "z"

Regex 4:

(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;

is vulnerable in portions *(?:CUS:([^;]*)|([^;]+)) * and *([^;]*) * and can be attacked with

"HbbTV/0.0.0 (;CUS:;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;z;" + (" " * 3500) + "z"

Reported by Ben Caller @bcaller

Database specific
{
    "nvd_published_at": "2020-02-21T00:15:10Z",
    "cwe_ids": [
        "CWE-1333",
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-20T23:09:32Z"
}
References

Affected packages

npm / uap-core

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.7.3

RubyGems / user_agent_parser

Package

Name
user_agent_parser
Purl
pkg:gem/user_agent_parser

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.0

Affected versions

0.*

0.1.0
0.1.1
0.1.2

1.*

1.0.0
1.0.1
1.0.2

2.*

2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2.0
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2
2.5.3