CVE-2021-27292 - Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00393.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Acm Jaeger Logging Openshift
Ua-parser-js Project	Ua-parser-js

Configuration 1 [-]

cpe:2.3:a:ua-parser-js_project:ua-parser-js:*:*:*:*:*:node.js:*:*

Package	CPE	Advisory	Released Date
OpenShift Logging 5.1
openshift-logging/kibana6-rhel8:v6.8.1-108	cpe:/a:redhat:logging:5.1::el8	RHSA-2022:0226	2022-01-20T00:00:00Z
OpenShift Logging 5.2
openshift-logging/kibana6-rhel8:v6.8.1-110	cpe:/a:redhat:logging:5.2::el8	RHSA-2022:0230	2022-01-21T00:00:00Z
OpenShift Logging 5.3
openshift-logging/kibana6-rhel8:v6.8.1-109	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:0227	2022-01-20T00:00:00Z
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
rhacm2/acm-grafana-rhel8:v2.3.0-38	cpe:/a:redhat:acm:2.3::el8	RHSA-2021:3016	2021-08-06T00:00:00Z
Red Hat OpenShift Container Platform 4.8
openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:2438	2021-07-27T00:00:00Z
Red Hat OpenShift Jaeger 1.24
distributed-tracing/jaeger-agent-rhel8:1.24.0-9	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-all-in-one-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-collector-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-es-index-cleaner-rhel8:1.24.0-10	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-es-rollover-rhel8:1.24.0-14	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-ingester-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-query-rhel8:1.24.0-9	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-rhel8-operator:1.24.0-16	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-0991	ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Github GHSA	GHSA-78cj-fxph-m83p	Regular Expression Denial of Service (ReDoS) in ua-parser-js

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
https://nvd.nist.gov/vuln/detail/CVE-2021-27292
https://www.cve.org/CVERecord?id=CVE-2021-27292

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-17T12:34:48

Updated: 2024-08-03T20:48:16.474Z

Reserved: 2021-02-16T00:00:00

Link: CVE-2021-27292

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-17T13:15:15.200

Modified: 2024-11-21T05:57:45.830

Link: CVE-2021-27292

Redhat

Severity : Moderate

Publid Date: 2021-02-11T00:00:00Z

Links: CVE-2021-27292 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object