CVE-2020-7793 - OpenCVE

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Sinec Ins
Ua-parser-js Project	Ua-parser-js

Configuration 1 [-]

cpe:2.3:a:ua-parser-js_project:ua-parser-js:*:*:*:*:*:node.js:*:*

Configuration 2 [-]

OR	cpe:2.3:a:siemens:sinec_ins::::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:-::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp1::::::

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18
https://nvd.nist.gov/vuln/detail/CVE-2020-7793
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387
https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
https://www.cve.org/CVERecord?id=CVE-2020-7793

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-12-11T13:25:17.521640Z

Updated: 2024-09-16T22:45:09.822Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7793

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-11T14:15:11.283

Modified: 2022-09-13T21:23:36.800

Link: CVE-2020-7793

Redhat

Severity : Low

Publid Date: 2020-10-29T00:00:00Z

Links: CVE-2020-7793 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "ua-parser-js", "vendor": "n/a", "versions": [{"lessThan": "0.7.23", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Yeting Li"}, {"lang": "en", "value": "Miguel de Moura"}], "datePublic": "2020-12-11T00:00:00", "descriptions": [{"lang": "en", "value": "The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 6.7, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Regular Expression Denial of Service (ReDoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-13T11:06:19", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"}], "title": "Regular Expression Denial of Service (ReDoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-12-11T13:20:48.750609Z", "ID": "CVE-2020-7793", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service (ReDoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ua-parser-js", "version": {"version_data": [{"version_affected": "<", "version_value": "0.7.23"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Yeting Li"}, {"lang": "eng", "value": "Miguel de Moura"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info)."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Regular Expression Denial of Service (ReDoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388"}, {"name": "https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18", "refsource": "MISC", "url": "https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:01.588Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7793", "datePublished": "2020-12-11T13:25:17.521640Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-16T22:45:09.822Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ua-parser-js_project:ua-parser-js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8D28E07F-388B-4B47-9657-EE64D67990F9", "versionEndExcluding": "0.7.23", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*", "matchCriteriaId": "C89891C1-DFD7-4E1F-80A9-7485D86A15B5", "versionEndExcluding": "1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*", "matchCriteriaId": "4664B195-AF14-4834-82B3-0B2C98020EB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "75BC588E-CDF0-404E-AD61-02093A1DF343", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info)."}, {"lang": "es", "value": "El paquete ua-parser-js versiones anteriores a 0.7.23, es vulnerable a una Denegaci\u00f3n de Servicio de Expresi\u00f3n Regular (ReDoS) en m\u00faltiples expresiones regulares (v\u00e9ase el commit vinculado para mayor informaci\u00f3n)"}], "id": "CVE-2020-7793", "lastModified": "2022-09-13T21:23:36.800", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2020-12-11T14:15:11.283", "references": [{"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs-ua-parser-js: ReDoS in multiple regexes", "id": "1907451", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907451"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).", "A flaw was found in nodejs-ua-parser-js. The software is vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes."], "name": "CVE-2020-7793", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Out of support scope", "package_name": "distributed-tracing/jaeger-all-in-one-rhel7", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Out of support scope", "package_name": "distributed-tracing/jaeger-query-rhel7", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "nodejs-ua-parser-js", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Fix deferred", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2020-10-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7793\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7793\nhttps://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599"], "statement": "Red Hat OpenShift Container Platform 4 delivers the kibana package where the ua-parser-js library is bundled, but during the update to container first (to openshift4/ose-logging-kibana6) the dependency was removed and hence kibana package is marked as wontfix. This may be fixed in the future.\nRed Hat Ceph Storage 3 and 4 ship a version of grafana that pulls a version of ua-parser-js (0.7.9) that uses the affected code.", "threat_severity": "Low", "upstream_fix": "nodejs-ua-parser-js 0.7.23"}