Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00eHFxLTczd2ctNW1qcM4AAzUr
git-url-parse Regular Expression Denial of Service
giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.
Permalink: https://github.com/advisories/GHSA-4xqq-73wg-5mjpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00eHFxLTczd2ctNW1qcM4AAzUr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-4xqq-73wg-5mjp, CVE-2023-32758
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-32758
- https://github.com/returntocorp/semgrep/pull/7611
- https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53
- https://pypi.org/project/git-url-parse
- https://github.com/returntocorp/semgrep/pull/7943
- https://github.com/returntocorp/semgrep/pull/7955
- https://github.com/advisories/GHSA-4xqq-73wg-5mjp
Blast Radius: 19.6
Affected Packages
pypi:git-url-parse
Dependent packages: 9Dependent repositories: 415
Downloads: 361,112 last month
Affected Version Ranges: <= 1.2.2
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.2.2