{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2020-26303", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2020-10-01T00:00:00.000Z", "datePublished": "2024-10-26T20:26:09.544Z", "dateUpdated": "2024-10-28T14:59:29.124Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "insane", "repo": "https://github.com/bevacqua/insane", "vendor": "bevacqua", "versions": [{"lessThanOrEqual": "2.6.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "insane is a&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">contain one or more regular expressions that are vulnerable to </span><span style=\"background-color: rgb(255, 255, 255);\">Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.</span></span><br>"}], "value": "insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-26T20:26:09.544Z"}, "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2020-289-redos-insane/"}, {"url": "https://github.com/bevacqua/insane/issues/19"}], "source": {"advisory": "GHSL-2020-289", "discovery": "UNKNOWN"}, "title": "GHSL-2020-289: Regular Expression Denial of Service (ReDoS) in insane", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "bevacqua", "product": "insane", "cpes": ["cpe:2.3:a:bevacqua:insane:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-28T14:57:34.239141Z", "id": "CVE-2020-26303", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T14:59:29.124Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-26303", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-28T14:57:34.239141Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:bevacqua:insane:*:*:*:*:*:*:*:*"], "vendor": "bevacqua", "product": "insane", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.6.2"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T14:59:25.004Z"}}], "cna": {"title": "GHSL-2020-289: Regular Expression Denial of Service (ReDoS) in insane", "source": {"advisory": "GHSL-2020-289", "discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bevacqua/insane", "vendor": "bevacqua", "product": "insane", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.6.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2020-289-redos-insane/"}, {"url": "https://github.com/bevacqua/insane/issues/19"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.", "supportingMedia": [{"type": "text/html", "value": "insane is a&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">contain one or more regular expressions that are vulnerable to </span><span style=\"background-color: rgb(255, 255, 255);\">Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.</span></span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-26T20:26:09.544Z"}}}, "cveMetadata": {"cveId": "CVE-2020-26303", "state": "PUBLISHED", "dateUpdated": "2024-10-28T14:59:29.124Z", "dateReserved": "2020-10-01T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-26T20:26:09.544Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bevacqua:insane:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D2D5027-EF3C-48A6-A6EA-EAACA27F4542", "versionEndIncluding": "2.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available."}, {"lang": "es", "value": "insane es un sanitizador HTML orientado a listas blancas. Las versiones 2.6.2 y anteriores contienen una o m\u00e1s expresiones regulares que son vulnerables a la denegaci\u00f3n de servicio de expresiones regulares (ReDoS). Al momento de la publicaci\u00f3n, no se conocen parches disponibles."}], "id": "CVE-2020-26303", "lastModified": "2024-11-13T19:55:45.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-26T21:15:13.460", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/bevacqua/insane/issues/19"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2020-289-redos-insane/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "insane: GHSL-2020-289: Regular Expression Denial of Service (ReDoS) in insane", "id": "2321967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321967"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1333", "details": ["insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.", "A flaw was found in the insane package, a whitelist-oriented HTML sanitizer. Affected versions of this package contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2020-26303", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2024-10-26T20:26:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-26303\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26303\nhttps://github.com/bevacqua/insane/issues/19\nhttps://securitylab.github.com/advisories/GHSL-2020-289-redos-insane/"], "statement": "The ReDoS vulnerability in insane is categorized as an important severity issue rather than critical due to the specific conditions required for exploitation and the nature of the impact. ReDoS attacks exploit inefficient regular expressions that cause excessive backtracking, potentially slowing down or freezing an application under targeted input patterns. However, they do not typically allow code execution or unauthorized access to sensitive data, which would elevate it to a critical severity.\nLogging Subsystem for Red Hat OpenShiftdoes not impacted & unaffected by this specific CVE because it is used only in custom notification banners, which are not enabled for use in OpenShift Logging's Kibana.", "threat_severity": "Important"}