ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Redhat
  • Acm
  • Jaeger
  • Logging
  • Openshift
Ua-parser-js Project
  • Ua-parser-js

Configuration 1 [-]

cpe:2.3:a:ua-parser-js_project:ua-parser-js:*:*:*:*:*:node.js:*:*
Package CPE Advisory Released Date
OpenShift Logging 5.1
openshift-logging/kibana6-rhel8:v6.8.1-108 cpe:/a:redhat:logging:5.1::el8 RHSA-2022:0226 2022-01-20T00:00:00Z
OpenShift Logging 5.2
openshift-logging/kibana6-rhel8:v6.8.1-110 cpe:/a:redhat:logging:5.2::el8 RHSA-2022:0230 2022-01-21T00:00:00Z
OpenShift Logging 5.3
openshift-logging/kibana6-rhel8:v6.8.1-109 cpe:/a:redhat:logging:5.3::el8 RHSA-2022:0227 2022-01-20T00:00:00Z
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
rhacm2/acm-grafana-rhel8:v2.3.0-38 cpe:/a:redhat:acm:2.3::el8 RHSA-2021:3016 2021-08-06T00:00:00Z
Red Hat OpenShift Container Platform 4.8
openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream cpe:/a:redhat:openshift:4.8::el8 RHSA-2021:2438 2021-07-27T00:00:00Z
Red Hat OpenShift Jaeger 1.24
distributed-tracing/jaeger-agent-rhel8:1.24.0-9 cpe:/a:redhat:jaeger:1.24::el8 RHSA-2021:3024 2021-08-09T00:00:00Z
distributed-tracing/jaeger-all-in-one-rhel8:1.24.0-8 cpe:/a:redhat:jaeger:1.24::el8 RHSA-2021:3024 2021-08-09T00:00:00Z
distributed-tracing/jaeger-collector-rhel8:1.24.0-8 cpe:/a:redhat:jaeger:1.24::el8 RHSA-2021:3024 2021-08-09T00:00:00Z
distributed-tracing/jaeger-es-index-cleaner-rhel8:1.24.0-10 cpe:/a:redhat:jaeger:1.24::el8 RHSA-2021:3024 2021-08-09T00:00:00Z
distributed-tracing/jaeger-es-rollover-rhel8:1.24.0-14 cpe:/a:redhat:jaeger:1.24::el8 RHSA-2021:3024 2021-08-09T00:00:00Z
distributed-tracing/jaeger-ingester-rhel8:1.24.0-8 cpe:/a:redhat:jaeger:1.24::el8 RHSA-2021:3024 2021-08-09T00:00:00Z
distributed-tracing/jaeger-query-rhel8:1.24.0-9 cpe:/a:redhat:jaeger:1.24::el8 RHSA-2021:3024 2021-08-09T00:00:00Z
distributed-tracing/jaeger-rhel8-operator:1.24.0-16 cpe:/a:redhat:jaeger:1.24::el8 RHSA-2021:3024 2021-08-09T00:00:00Z
References
Link Providers
https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 cve-icon cve-icon cve-icon
https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 cve-icon cve-icon
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-27292 cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-27292 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-17T12:34:48

Updated: 2024-08-03T20:48:16.474Z

Reserved: 2021-02-16T00:00:00

Link: CVE-2021-27292

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2021-03-17T13:15:15.200

Modified: 2021-03-23T20:21:17.347

Link: CVE-2021-27292

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-02-11T00:00:00Z

Links: CVE-2021-27292 - Bugzilla