Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRndzMtOGY3Ny1mNzJj
Regular expression denial of service in codemirror
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2.
The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRndzMtOGY3Ny1mNzJj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-4gw3-8f77-f72c, CVE-2020-7760
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7760
- https://github.com/codemirror/CodeMirror/commit/55d0333907117c9231ffdf555ae8824705993bbb
- https://snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937
- https://www.debian.org/security/2020/dsa-4789
- https://www.npmjs.com/package/codemirror
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEMARMOTTAWEBJARS-1024450
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1024449
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1024445
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCODEMIRROR-1024448
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCOMPONENTS-1024446
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1024447
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-4gw3-8f77-f72c
Blast Radius: 26.8
Affected Packages
npm:codemirror
Dependent packages: 4,580Dependent repositories: 112,084
Downloads: 11,343,119 last month
Affected Version Ranges: < 5.58.2
Fixed in: 5.58.2
All affected versions: 2.33.0, 3.11.1, 3.12.0, 3.13.0, 3.14.1, 3.15.0, 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, 3.21.0, 3.22.0, 3.23.0, 3.24.0, 4.0.3, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.13.2, 5.13.4, 5.14.0, 5.14.2, 5.15.0, 5.15.2, 5.16.0, 5.17.0, 5.18.0, 5.18.2, 5.18.3, 5.19.0, 5.20.0, 5.20.2, 5.21.0, 5.22.0, 5.22.2, 5.23.0, 5.24.0, 5.24.2, 5.25.0, 5.25.2, 5.26.0, 5.27.0, 5.27.2, 5.27.4, 5.28.0, 5.29.0, 5.30.0, 5.31.0, 5.32.0, 5.33.0, 5.34.0, 5.35.0, 5.36.0, 5.37.0, 5.38.0, 5.39.0, 5.39.2, 5.40.0, 5.40.2, 5.41.0, 5.42.0, 5.42.2, 5.43.0, 5.44.0, 5.45.0, 5.46.0, 5.47.0, 5.48.0, 5.48.2, 5.48.4, 5.49.0, 5.49.2, 5.50.0, 5.50.2, 5.51.0, 5.52.0, 5.52.2, 5.53.0, 5.53.2, 5.54.0, 5.55.0, 5.56.0, 5.57.0, 5.58.0, 5.58.1
All unaffected versions: 5.58.2, 5.58.3, 5.59.0, 5.59.1, 5.59.2, 5.59.3, 5.59.4, 5.60.0, 5.61.0, 5.61.1, 5.62.0, 5.62.1, 5.62.2, 5.62.3, 5.63.0, 5.63.1, 5.63.2, 5.63.3, 5.64.0, 5.65.0, 5.65.1, 5.65.2, 5.65.3, 5.65.4, 5.65.5, 5.65.6, 5.65.7, 5.65.8, 5.65.9, 5.65.10, 5.65.11, 5.65.12, 5.65.13, 5.65.14, 5.65.15, 5.65.16, 6.0.0, 6.0.1, 6.65.7