Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ4N20tajcyOC1tancz
uap-core Regular Expression Denial of Service issue
An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS) issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to a value containing a long digit string. (The UAP-Core project contains the vulnerability, propagating to all implementations.)
Permalink: https://github.com/advisories/GHSA-fx7m-j728-mjw3JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ4N20tajcyOC1tancz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Percentage: 0.00776
EPSS Percentile: 0.81625
Identifiers: GHSA-fx7m-j728-mjw3, CVE-2018-20164
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-20164
- https://github.com/ua-parser/uap-core/issues/332
- https://github.com/ua-parser/uap-core/commit/010ccdc7303546cd22b9da687c29f4a996990014
- https://github.com/ua-parser/uap-core/commit/156f7e12b215bddbaf3df4514c399d683e6cdadc
- https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/
- https://github.com/advisories/GHSA-fx7m-j728-mjw3
Blast Radius: 7.7
Affected Packages
npm:uap-core
Dependent packages: 5Dependent repositories: 28
Downloads: 5,627 last month
Affected Version Ranges: < 0.6.0
Fixed in: 0.6.0
All affected versions:
All unaffected versions: 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.11, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.18.0