CVE-2021-33580 - OpenCVE

User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Roller

Configuration 1 [-]

cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2021/08/18/1
https://lists.apache.org/thread.html/r9d967d80af941717573e531db2c7353a90bfd0886e9b5d5d79f75506%40%3Cuser.roller.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-08-18T07:50:10

Updated: 2024-08-03T23:50:43.188Z

Reserved: 2021-05-26T00:00:00

Link: CVE-2021-33580

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-18T08:15:06.173

Modified: 2021-08-26T01:25:41.707

Link: CVE-2021-33580

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Roller", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.0.2", "status": "affected", "version": "Apache Roller", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Roller would like to thank Ed Ra (https://github.com/edvraa) for reporting this."}], "descriptions": [{"lang": "en", "value": "User controlled `request.getHeader(\"Referer\")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2."}], "metrics": [{"other": {"content": {"other": "Low: This attack will only work if Banned-words Referrer processing is turned on in Roller and it is off-by-default."}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-18T08:06:23", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r9d967d80af941717573e531db2c7353a90bfd0886e9b5d5d79f75506%40%3Cuser.roller.apache.org%3E"}, {"name": "[oss-security] 20210817 CVE-2021-33580: Apache Roller: regex injection leading to DoS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/08/18/1"}], "source": {"discovery": "UNKNOWN"}, "title": "regex injection leading to DoS", "workarounds": [{"lang": "en", "value": "This problem has been fixed in Roller 6.0.2. If you are not able to upgrade then you can \"work around\" the problem.\n\nIf Banned-Words Referrer processing is enabled and you are concerned about this type of attack then disable it.\n\nIn the Roller properties, set this property site.bannedwordslist.enable.referrers=false"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-33580", "STATE": "PUBLIC", "TITLE": "regex injection leading to DoS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Roller", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Roller", "version_value": "6.0.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Roller would like to thank Ed Ra (https://github.com/edvraa) for reporting this."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "User controlled `request.getHeader(\"Referer\")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "Low: This attack will only work if Banned-words Referrer processing is turned on in Roller and it is off-by-default."}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r9d967d80af941717573e531db2c7353a90bfd0886e9b5d5d79f75506%40%3Cuser.roller.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r9d967d80af941717573e531db2c7353a90bfd0886e9b5d5d79f75506%40%3Cuser.roller.apache.org%3E"}, {"name": "[oss-security] 20210817 CVE-2021-33580: Apache Roller: regex injection leading to DoS", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/08/18/1"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "This problem has been fixed in Roller 6.0.2. If you are not able to upgrade then you can \"work around\" the problem.\n\nIf Banned-Words Referrer processing is enabled and you are concerned about this type of attack then disable it.\n\nIn the Roller properties, set this property site.bannedwordslist.enable.referrers=false"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:50:43.188Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r9d967d80af941717573e531db2c7353a90bfd0886e9b5d5d79f75506%40%3Cuser.roller.apache.org%3E"}, {"name": "[oss-security] 20210817 CVE-2021-33580: Apache Roller: regex injection leading to DoS", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/08/18/1"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-33580", "datePublished": "2021-08-18T07:50:10", "dateReserved": "2021-05-26T00:00:00", "dateUpdated": "2024-08-03T23:50:43.188Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A3A7D5E-4C46-4659-B300-EEA08ED8BC29", "versionEndExcluding": "6.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "User controlled `request.getHeader(\"Referer\")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2."}, {"lang": "es", "value": "Los controles de usuario \"request.getHeader(\"Referer\")\", \"request.getRequestURL()\" y \"request.getQueryString()\" son usados para construir y ejecutar una expresi\u00f3n regex. El atacante no tiene que usar un navegador y puede enviar un encabezado Referer especialmente dise\u00f1ada mediante programaci\u00f3n. Dado que el atacante controla la cadena y el patr\u00f3n regex, puede causar un ReDoS mediante el retroceso catastr\u00f3fico de regex en el lado del servidor. Este problema ha sido corregido en Roller versi\u00f3n 6.0.2."}], "id": "CVE-2021-33580", "lastModified": "2021-08-26T01:25:41.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-18T08:15:06.173", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/08/18/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r9d967d80af941717573e531db2c7353a90bfd0886e9b5d5d79f75506%40%3Cuser.roller.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Secondary"}]}