Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmNDQtM214Ni12aGh3
Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service.
Impact
The regex injection that may lead to Denial of Service.
Patches
Will be patched in 2.4 and 3.0
Workarounds
Versions lower than 2.x are only affected if the navigation module is added
References
See this pull request for the fix: https://github.com/graphhopper/graphhopper/pull/2304
If you have any questions or comments about this advisory please send us an Email or create a topic here.
Permalink: https://github.com/advisories/GHSA-hf44-3mx6-vhhwJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmNDQtM214Ni12aGh3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-hf44-3mx6-vhhw, CVE-2021-29506
References:
- https://github.com/graphhopper/graphhopper/security/advisories/GHSA-hf44-3mx6-vhhw
- https://nvd.nist.gov/vuln/detail/CVE-2021-29506
- https://github.com/graphhopper/graphhopper/pull/2304
- https://github.com/graphhopper/graphhopper/commit/eb189be1fa7443ebf4ae881e737a18f818c95f41
- https://github.com/advisories/GHSA-hf44-3mx6-vhhw
Blast Radius: 8.2
Affected Packages
maven:com.graphhopper:graphhopper-nav
Dependent packages: 0Dependent repositories: 18
Downloads:
Affected Version Ranges: < 2.4
Fixed in: 2.4
All affected versions:
All unaffected versions: