CVE-2021-21317 - OpenCVE

uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Uap-core Project	Uap-core

Configuration 1 [-]

cpe:2.3:a:uap-core_project:uap-core:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/ua-parser/uap-core/commit/dc9925d458214cfe87b93e35346980612f6ae96c
https://github.com/ua-parser/uap-core/security/advisories/GHSA-p4pj-mg4r-x6v4
https://www.npmjs.com/package/uap-core

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-02-16T17:45:16

Updated: 2024-08-03T18:09:15.054Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21317

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-02-16T18:15:12.583

Modified: 2024-02-08T20:29:02.863

Link: CVE-2021-21317

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "uap-core", "vendor": "ua-parser", "versions": [{"status": "affected", "version": "< 0.11.0"}]}], "descriptions": [{"lang": "en", "value": "uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-16T17:45:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ua-parser/uap-core/security/advisories/GHSA-p4pj-mg4r-x6v4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ua-parser/uap-core/commit/dc9925d458214cfe87b93e35346980612f6ae96c"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/uap-core"}], "source": {"advisory": "GHSA-p4pj-mg4r-x6v4", "discovery": "UNKNOWN"}, "title": "Denial of Service in uap-core", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21317", "STATE": "PUBLIC", "TITLE": "Denial of Service in uap-core"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "uap-core", "version": {"version_data": [{"version_value": "< 0.11.0"}]}}]}, "vendor_name": "ua-parser"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ua-parser/uap-core/security/advisories/GHSA-p4pj-mg4r-x6v4", "refsource": "CONFIRM", "url": "https://github.com/ua-parser/uap-core/security/advisories/GHSA-p4pj-mg4r-x6v4"}, {"name": "https://github.com/ua-parser/uap-core/commit/dc9925d458214cfe87b93e35346980612f6ae96c", "refsource": "MISC", "url": "https://github.com/ua-parser/uap-core/commit/dc9925d458214cfe87b93e35346980612f6ae96c"}, {"name": "https://www.npmjs.com/package/uap-core", "refsource": "MISC", "url": "https://www.npmjs.com/package/uap-core"}]}, "source": {"advisory": "GHSA-p4pj-mg4r-x6v4", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.054Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ua-parser/uap-core/security/advisories/GHSA-p4pj-mg4r-x6v4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ua-parser/uap-core/commit/dc9925d458214cfe87b93e35346980612f6ae96c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/uap-core"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21317", "datePublished": "2021-02-16T17:45:16", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.054Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uap-core_project:uap-core:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77C70DB0-831D-4909-B87A-839C80F96572", "versionEndExcluding": "0.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes."}, {"lang": "es", "value": "uap-core en un paquete npm de c\u00f3digo abierto que contiene el core del analizador de cadenas del agente de usuario original de BrowserScope. En uap-core versiones anteriores a 0.11.0, algunas expresiones regulares son vulnerables a una denegaci\u00f3n de servicio de expresi\u00f3n regular (REDoS) debido a la superposici\u00f3n de grupos de captura. Esto permite a atacantes remotos sobrecargar un servidor configurando el encabezado User-Agent en una petici\u00f3n HTTP(S) en cadenas largas dise\u00f1adas maliciosamente. Esto es corregido en versi\u00f3n 0.11.0. Los paquetes posteriores como uap-python, uap-ruby, etc., que dependen de uap-core, siguen esquemas de versiones diferentes"}], "id": "CVE-2021-21317", "lastModified": "2024-02-08T20:29:02.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-02-16T18:15:12.583", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ua-parser/uap-core/commit/dc9925d458214cfe87b93e35346980612f6ae96c"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ua-parser/uap-core/security/advisories/GHSA-p4pj-mg4r-x6v4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/uap-core"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}