Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQzZjgtMmgzMi1mNGNq
Regular Expression Denial of Service in hosted-git-info
The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQzZjgtMmgzMi1mNGNq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 8 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-43f8-2h32-f4cj, CVE-2021-23362
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23362
- https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356
- https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
- https://github.com/npm/hosted-git-info/pull/76
- https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7
- https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01
- https://github.com/npm/hosted-git-info/commits/v2
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/advisories/GHSA-43f8-2h32-f4cj
Affected Packages
npm:hosted-git-info
Versions: < 2.8.9, >= 3.0.0, < 3.0.8Fixed in: 2.8.9, 3.0.8