CVE-2021-23446 - OpenCVE

The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Handsontable	Handsontable

Configuration 1 [-]

cpe:2.3:a:handsontable:handsontable:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/handsontable/handsontable/issues/8752
https://github.com/handsontable/handsontable/pull/8742
https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797
https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2021-09-29T16:45:28.726765Z

Updated: 2024-09-16T19:31:26.679Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23446

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-29T17:15:06.987

Modified: 2023-08-08T14:22:24.967

Link: CVE-2021-23446

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "handsontable", "vendor": "n/a", "versions": [{"lessThan": "10.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Handsontable", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "10.0.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Unknown"}], "datePublic": "2021-09-29T00:00:00", "descriptions": [{"lang": "en", "value": "The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Regular Expression Denial of Service (ReDoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-29T16:45:28", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/handsontable/handsontable/issues/8752"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/handsontable/handsontable/pull/8742"}], "title": "Regular Expression Denial of Service (ReDoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-09-29T16:44:30.760996Z", "ID": "CVE-2021-23446", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service (ReDoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "handsontable", "version": {"version_data": [{"version_affected": "<", "version_value": "10.0.0"}]}}]}, "vendor_name": "n/a"}, {"product": {"product_data": [{"product_name": "Handsontable", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}, {"version_affected": "<", "version_value": "10.0.0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Unknown"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Regular Expression Denial of Service (ReDoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770"}, {"name": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797"}, {"name": "https://github.com/handsontable/handsontable/issues/8752", "refsource": "MISC", "url": "https://github.com/handsontable/handsontable/issues/8752"}, {"name": "https://github.com/handsontable/handsontable/pull/8742", "refsource": "MISC", "url": "https://github.com/handsontable/handsontable/pull/8742"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:56.029Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/handsontable/handsontable/issues/8752"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/handsontable/handsontable/pull/8742"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23446", "datePublished": "2021-09-29T16:45:28.726765Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-16T19:31:26.679Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:handsontable:handsontable:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "12530248-851C-4F16-B015-648DEFF210C4", "versionEndExcluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function."}, {"lang": "es", "value": "El paquete handsontable versiones anteriores a 10.0.0; el paquete handsontable desde la versi\u00f3n 0 y anterior a 10.0.0 son vulnerables a una Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular (ReDoS) en la funci\u00f3n Handsontable.helper.isNumeric"}], "id": "CVE-2021-23446", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-09-29T17:15:06.987", "references": [{"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/handsontable/handsontable/issues/8752"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/handsontable/handsontable/pull/8742"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}