You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I received a notice a few days ago from Sonatype. The package apparently has been diagnosed as having a vulnerability.
EXPLANATION
The ua-parser-js package is vulnerable to Regular expression Denial of Service (ReDoS). The regexes object found in ua-parser.js contains a number of unsafe regular expressions that are used in evaluating user generated strings. A remote unauthenticated attacker can exploit this behavior with a specially crafted user-agent string that can cause the application's process to hang as it attempts to evaluate the user-agent.
DETECTION
The application is vulnerable by using this component.
RECOMMENDATION
There is no non vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control. It is important to note that, although parts of the vulnerability have been fixed, as shown in the additional resources, not all of the reported expressions have been fixed and the component remains vulnerable.
Is there any more detailed information regarding the vulnerability? Given that few days before you post this issue, I'm already fixing some vulnerable regexes: 6d1f26d
I received a notice a few days ago from Sonatype. The package apparently has been diagnosed as having a vulnerability.
EXPLANATION
The ua-parser-js package is vulnerable to Regular expression Denial of Service (ReDoS). The regexes object found in ua-parser.js contains a number of unsafe regular expressions that are used in evaluating user generated strings. A remote unauthenticated attacker can exploit this behavior with a specially crafted user-agent string that can cause the application's process to hang as it attempts to evaluate the user-agent.
DETECTION
The application is vulnerable by using this component.
RECOMMENDATION
There is no non vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control. It is important to note that, although parts of the vulnerability have been fixed, as shown in the additional resources, not all of the reported expressions have been fixed and the component remains vulnerable.
ROOT CAUSE
ua-parser-js-0.7.22.tgzpackage/src/ua-parser.js[0.5.20 ,)
MORE INFORMATION
CWE-185 - https://cwe.mitre.org/data/definitions/185.html
The text was updated successfully, but these errors were encountered: