CVE-2021-23341 - Vulnerability Details - OpenCVE

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01762.

Key SSVC decision points have not yet been added.

Vendors	Products
Prismjs	Prism

Configuration 1 [-]

cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-0662	The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
Github GHSA	GHSA-h4hr-7fg3-h35w	Denial of service in prismjs

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609
https://github.com/PrismJS/prism/issues/2583
https://github.com/PrismJS/prism/pull/2584
https://nvd.nist.gov/vuln/detail/CVE-2021-23341
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582
https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581
https://www.cve.org/CVERecord?id=CVE-2021-23341

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2021-02-18T16:00:29.799313Z

Updated: 2024-09-16T19:56:25.729Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23341

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-18T16:15:14.143

Modified: 2024-11-21T05:51:32.237

Link: CVE-2021-23341

Redhat

Severity : Moderate

Publid Date: 2021-02-18T00:00:00Z

Links: CVE-2021-23341 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "prismjs", "vendor": "n/a", "versions": [{"lessThan": "1.23.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Yeting Li"}], "datePublic": "2021-02-18T00:00:00", "descriptions": [{"lang": "en", "value": "The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Regular Expression Denial of Service (ReDoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-18T16:00:29", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrismJS/prism/issues/2583"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrismJS/prism/pull/2584"}], "title": "Regular Expression Denial of Service (ReDoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-02-18T15:56:55.174119Z", "ID": "CVE-2021-23341", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service (ReDoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "prismjs", "version": {"version_data": [{"version_affected": "<", "version_value": "1.23.0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Yeting Li"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Regular Expression Denial of Service (ReDoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583"}, {"name": "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609", "refsource": "MISC", "url": "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609"}, {"name": "https://github.com/PrismJS/prism/issues/2583", "refsource": "MISC", "url": "https://github.com/PrismJS/prism/issues/2583"}, {"name": "https://github.com/PrismJS/prism/pull/2584", "refsource": "MISC", "url": "https://github.com/PrismJS/prism/pull/2584"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.755Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrismJS/prism/issues/2583"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrismJS/prism/pull/2584"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23341", "datePublished": "2021-02-18T16:00:29.799313Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-16T19:56:25.729Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E1E5D8C6-2FCA-4B91-84FD-411C24D93902", "versionEndExcluding": "1.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components."}, {"lang": "es", "value": "El paquete prismjs versiones anteriores a 1.23.0, es vulnerable a la Denegaci\u00f3n de Servicio de Expresi\u00f3n Regular (ReDoS) por medio de los componentes prism-asciidoc, prism-rest, prism-tap y prism-eiffel"}], "id": "CVE-2021-23341", "lastModified": "2024-11-21T05:51:32.237", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-18T16:15:14.143", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/issues/2583"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/pull/2584"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/issues/2583"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/pull/2584"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs-prismjs: Regular expression denial of service via prism-asciidoc prism-rest prism-tap and prism-eiffel components", "id": "1930420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930420"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.", "A flaw was found in nodejs-prismjs. A Regular Expression Denial of Service (ReDoS) is possible via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components."], "name": "CVE-2021-23341", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Will not fix", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Will not fix", "impact": "low", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-23341\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23341"], "statement": "OpenShift Container Platform (OCP) and Red Hat Ceph Storage (RHCS) 3 and 4 grafana-container does package a vulnerable verison of prismjs. However due to the instance being read only and behind OpenShift OAuth, it has been given a Low impact. Additionally it has been marked as wont-fix at this time and may be fixed in a future release.\nOpenShift ServiceMesh (OSSM) ncludes a vulnerable version of prismjs. Due to the component being behind OpenShift OAuth and the vulnerability itself being limited to the syntax highlighting within grafana, it has been given a Low impact. The OSSM servicemesh-grafana component has been marked as wont-fix at this time and may be fixed in a future release.\nRed Hat Ceph Storage RHCS 3 and 4 grafana includes a vulnerable version of prismjs, however, due to the vulnerability itself being limited to the syntax highlighting within grafana, it has been given a Low impact. RHCS 3 and 4 have been marked as wont-fix at this time and may be fixed in a future release.", "threat_severity": "Moderate"}