CVE-2021-43843 - OpenCVE

Vendors	Products
Jsx-slack Project	Jsx-slack

Link	Providers
https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29ecc
https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6

{"containers": {"cna": {"affected": [{"product": "jsx-slack", "vendor": "yhatt", "versions": [{"status": "affected", "version": "< 4.5.2"}]}], "descriptions": [{"lang": "en", "value": "jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-20T21:15:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29ecc"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2"}], "source": {"advisory": "GHSA-hp68-xhvj-x6j6", "discovery": "UNKNOWN"}, "title": "Insufficient patch for Regular Expression Denial of Service (ReDoS) to jsx-slack v4.5.1", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43843", "STATE": "PUBLIC", "TITLE": "Insufficient patch for Regular Expression Denial of Service (ReDoS) to jsx-slack v4.5.1"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "jsx-slack", "version": {"version_data": [{"version_value": "< 4.5.2"}]}}]}, "vendor_name": "yhatt"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}, {"description": [{"lang": "eng", "value": "CWE-1333: Inefficient Regular Expression Complexity"}]}]}, "references": {"reference_data": [{"name": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6", "refsource": "CONFIRM", "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6"}, {"name": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q", "refsource": "MISC", "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q"}, {"name": "https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29ecc", "refsource": "MISC", "url": "https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29ecc"}, {"name": "https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2", "refsource": "MISC", "url": "https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2"}]}, "source": {"advisory": "GHSA-hp68-xhvj-x6j6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:16.503Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29ecc"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43843", "datePublished": "2021-12-20T21:15:12", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:10:16.503Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jsx-slack_project:jsx-slack:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7E7A11E3-74FF-4031-892F-552C8FB985A1", "versionEndExcluding": "4.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters."}, {"lang": "es", "value": "jsx-slack es un paquete para construir objetos JSON para las superficies del kit de bloques Slack desde JSX. Los mantenedores encontraron que el parche para CVE-2021-43838 en jsx-slack versi\u00f3n v4.5.1, es insuficiente para la protecci\u00f3n contra un ataque de denegaci\u00f3n de servicio por expresi\u00f3n regular (ReDoS). Si un atacante puede poner muchos elementos JSX en la etiqueta \"(blockquote)\" con inclusi\u00f3n de caracteres multibyte_, una expresi\u00f3n regular interna para el escape de caracteres puede consumir una cantidad excesiva de recursos inform\u00e1ticos. jsx-slack versi\u00f3n v4.5.1, pasa la prueba contra caracteres ASCII pero falla en el caso de los caracteres multibyte. jsx-slack versi\u00f3n v4.5.2, ha actualizado las expresiones regulares para el escape de caracteres blockquote con el fin de evitar el retroceso catastr\u00f3fico. Tambi\u00e9n incluye un caso de prueba actualizado para confirmar la representaci\u00f3n de m\u00faltiples etiquetas en \"(blockquote)\" con caracteres multibyte"}], "id": "CVE-2021-43843", "lastModified": "2022-08-09T13:27:45.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-12-20T22:15:07.817", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29ecc"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1333"}, {"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products