Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNtY3gteGhyOC0zdzlw
Denial of Service in uap-core when processing crafted User-Agent strings
Impact
Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.
Patches
Please update uap-core to >= v0.7.3
Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.
Details
Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string.
Regex 1:
\bSmartWatch *\( *([^;]+) *; *([^;]+) *;
is vulnerable in portion *([^;]+) *
and can be attacked with
"SmartWatch(" + (" " * 3500) + "z"
e.g.
SmartWatch( z
Regex 2:
; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\)
is vulnerable in portion \d+[^\);]+[^\);]*
and can be attacked with
";A Build HuaweiA" + ("4" * 3500) + "z"
Regex 3:
(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\)
is vulnerable in portion *([^;]*) *
and can be attacked with
"HbbTV/0.0.0 (;LGE;" + (" " * 3500) + "z"
Regex 4:
(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;
is vulnerable in portions *(?:CUS:([^;]*)|([^;]+)) *
and *([^;]*) *
and can be attacked with
"HbbTV/0.0.0 (;CUS:;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;z;" + (" " * 3500) + "z"
Reported by Ben Caller @bcaller
Permalink: https://github.com/advisories/GHSA-cmcx-xhr8-3w9pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNtY3gteGhyOC0zdzlw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: 3 months ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-cmcx-xhr8-3w9p, CVE-2020-5243
References:
- https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
- https://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1
- https://nvd.nist.gov/vuln/detail/CVE-2020-5243
- https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/user_agent_parser/CVE-2020-5243.yml
- https://github.com/advisories/GHSA-cmcx-xhr8-3w9p
Blast Radius: 23.0
Affected Packages
rubygems:user_agent_parser
Dependent packages: 19Dependent repositories: 387
Downloads: 27,597,011 total
Affected Version Ranges: < 2.6.0
Fixed in: 2.6.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.5.3
All unaffected versions: 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.17.0
npm:uap-core
Dependent packages: 5Dependent repositories: 28
Downloads: 4,062 last month
Affected Version Ranges: < 0.7.3
Fixed in: 0.7.3
All affected versions: 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.11, 0.7.0, 0.7.1, 0.7.2
All unaffected versions: 0.7.3, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.18.0