{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2020-26311", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2020-10-01T00:00:00.000Z", "datePublished": "2024-10-26T20:26:35.087Z", "dateUpdated": "2024-10-28T13:42:18.048Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "useragent", "repo": "https://github.com/3rd-Eden/useragent", "vendor": "3rd-Eden", "versions": [{"status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">Useragent is a user agent parser for Node.js.</span> All versions as of time of publication&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">contain one or more regular expressions that are vulnerable to </span><span style=\"background-color: rgb(255, 255, 255);\">Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.</span></span><br>"}], "value": "Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-26T20:26:35.087Z"}, "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2020-312-redos-useragent/"}, {"url": "https://github.com/3rd-Eden/useragent/issues/167"}], "source": {"advisory": "GHSL-2020-312", "discovery": "UNKNOWN"}, "title": "GHSL-2020-312: Regular Expression Denial of Service (ReDoS) in useragent", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "useragent_project", "product": "useragent", "cpes": ["cpe:2.3:a:useragent_project:useragent:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-28T13:37:14.956695Z", "id": "CVE-2020-26311", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T13:42:18.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-26311", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-28T13:37:14.956695Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:useragent_project:useragent:*:*:*:*:*:node.js:*:*"], "vendor": "useragent_project", "product": "useragent", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T13:42:07.839Z"}}], "cna": {"title": "GHSL-2020-312: Regular Expression Denial of Service (ReDoS) in useragent", "source": {"advisory": "GHSL-2020-312", "discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/3rd-Eden/useragent", "vendor": "3rd-Eden", "product": "useragent", "versions": [{"status": "affected", "version": "0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2020-312-redos-useragent/"}, {"url": "https://github.com/3rd-Eden/useragent/issues/167"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">Useragent is a user agent parser for Node.js.</span> All versions as of time of publication&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">contain one or more regular expressions that are vulnerable to </span><span style=\"background-color: rgb(255, 255, 255);\">Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.</span></span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-26T20:26:35.087Z"}}}, "cveMetadata": {"cveId": "CVE-2020-26311", "state": "PUBLISHED", "dateUpdated": "2024-10-28T13:42:18.048Z", "dateReserved": "2020-10-01T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-26T20:26:35.087Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:useragent_project:useragent:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BBA66A46-0609-4D7A-8CB6-B5EAA8E5BB0B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available."}, {"lang": "es", "value": "Useragent es un analizador de agente de usuario para Node.js. Todas las versiones al momento de la publicaci\u00f3n contienen una o m\u00e1s expresiones regulares que son vulnerables a la denegaci\u00f3n de servicio de expresiones regulares (ReDoS). Al momento de la publicaci\u00f3n, no hay parches disponibles."}], "id": "CVE-2020-26311", "lastModified": "2024-10-30T18:07:38.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-26T21:15:14.400", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/3rd-Eden/useragent/issues/167"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2020-312-redos-useragent/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Useragent: GHSL-2020-312: Regular Expression Denial of Service (ReDoS) in useragent", "id": "2321964", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321964"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1333", "details": ["Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.", "A flaw was found in Useragent package, a user agent parser for Node.js. Affected versions of this package contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2020-26311", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2024-10-26T20:26:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-26311\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26311\nhttps://github.com/3rd-Eden/useragent/issues/167\nhttps://securitylab.github.com/advisories/GHSL-2020-312-redos-useragent/"], "statement": "The ReDoS vulnerability in the useragent library is considered an important severity rather than critical because it primarily affects application availability, not confidentiality or integrity. This vulnerability occurs when inefficient regular expressions lead to excessive backtracking under specific input patterns, potentially causing the application to slow down or become unresponsive. However, ReDoS attacks do not allow an attacker to execute arbitrary code, escalate privileges, or access sensitive data directly.\nLogging Subsystem for Red Hat OpenShiftdoes not impacted & unaffected by this specific CVE because it is used only in the development environment.\nRed Hat Quay 3 does not impacted & unaffected by this specific CVE because its not using node to parse user requests.", "threat_severity": "Important"}