CVE-2024-3772 - OpenCVE

Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Ansible Automation Platform

No data.

Package	CPE	Advisory	Released Date
Red Hat Ansible Automation Platform 2.4 for RHEL 8
automation-controller-0:4.5.7-1.el8ap	cpe:/a:redhat:ansible_automation_platform:2.4::el8	RHSA-2024:3781	2024-06-10T00:00:00Z
python3x-pydantic-0:1.10.15-1.el8ap	cpe:/a:redhat:ansible_automation_platform:2.4::el8	RHSA-2024:3781	2024-06-10T00:00:00Z
Red Hat Ansible Automation Platform 2.4 for RHEL 9
automation-controller-0:4.5.7-1.el9ap	cpe:/a:redhat:ansible_automation_platform:2.4::el9	RHSA-2024:3781	2024-06-10T00:00:00Z
python-pydantic-0:1.10.15-1.el9ap	cpe:/a:redhat:ansible_automation_platform:2.4::el9	RHSA-2024:3781	2024-06-10T00:00:00Z

References

Link	Providers
https://github.com/pydantic/pydantic/pull/7360
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/
https://nvd.nist.gov/vuln/detail/CVE-2024-3772
https://www.cve.org/CVERecord?id=CVE-2024-3772

History

No history.

MITRE

Status: PUBLISHED

Assigner: directcyber

Published: 2024-04-15T01:42:07.888Z

Updated: 2024-08-01T20:20:01.828Z

Reserved: 2024-04-15T01:23:15.783Z

Link: CVE-2024-3772

Vulnrichment

Updated: 2024-08-01T20:20:01.828Z

NVD

Status : Awaiting Analysis

Published: 2024-04-15T03:16:07.987

Modified: 2024-04-26T02:15:06.983

Link: CVE-2024-3772

Redhat

Severity : Moderate

Publid Date: 2024-04-15T00:00:00Z

Links: CVE-2024-3772 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3772", "assignerOrgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "state": "PUBLISHED", "assignerShortName": "directcyber", "dateReserved": "2024-04-15T01:23:15.783Z", "datePublished": "2024-04-15T01:42:07.888Z", "dateUpdated": "2024-08-01T20:20:01.828Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Pydantic", "repo": "https://github.com/pydantic/pydantic", "vendor": "Pydantic", "versions": [{"lessThan": "2.4.0", "status": "affected", "version": "2.0", "versionType": "semver"}, {"lessThan": "1.10.13", "status": "affected", "version": "1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sajeeb Lohani"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.<br>"}], "value": "Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Denial of Service"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "shortName": "directcyber", "dateUpdated": "2024-04-22T19:29:11.444Z"}, "references": [{"url": "https://github.com/pydantic/pydantic/pull/7360"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/"}], "source": {"discovery": "UNKNOWN"}, "title": "Regular expression denial of service in Pydantic < 2.4.0", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "pydantic_project", "product": "pydantic", "cpes": ["cpe:2.3:a:pydantic_project:pydantic:1.0:-:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.0", "status": "affected", "lessThan": "1.10.13", "versionType": "semver"}]}, {"vendor": "pydantic_project", "product": "pydantic", "cpes": ["cpe:2.3:a:pydantic_project:pydantic:2.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-22T19:52:22.735887Z", "id": "CVE-2024-3772", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T15:29:03.754Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.828Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/pydantic/pydantic/pull/7360", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pydantic/pydantic/pull/7360", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.828Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3772", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T19:52:22.735887Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pydantic_project:pydantic:1.0:-:*:*:*:*:*:*"], "vendor": "pydantic_project", "product": "pydantic", "versions": [{"status": "affected", "version": "1.0", "lessThan": "1.10.13", "versionType": "semver"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:pydantic_project:pydantic:2.0:*:*:*:*:*:*:*"], "vendor": "pydantic_project", "product": "pydantic", "versions": [{"status": "affected", "version": "2.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-22T19:47:21.026Z"}}], "cna": {"title": "Regular expression denial of service in Pydantic < 2.4.0", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sajeeb Lohani"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Denial of Service"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/pydantic/pydantic", "vendor": "Pydantic", "product": "Pydantic", "versions": [{"status": "affected", "version": "2.0", "lessThan": "2.4.0", "versionType": "semver"}, {"status": "affected", "version": "1.0", "lessThan": "1.10.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/pydantic/pydantic/pull/7360"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.\n", "supportingMedia": [{"type": "text/html", "value": "Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "shortName": "directcyber", "dateUpdated": "2024-04-22T19:29:11.444Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3772", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:20:01.828Z", "dateReserved": "2024-04-15T01:23:15.783Z", "assignerOrgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "datePublished": "2024-04-15T01:42:07.888Z", "assignerShortName": "directcyber"}, "dataVersion": "5.1"}

{"affected_release": [{"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "automation-controller-0:4.5.7-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-pydantic-0:1.10.15-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "automation-controller-0:4.5.7-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-pydantic-0:1.10.15-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-06-10T00:00:00Z"}], "bugzilla": {"description": "python-pydantic: regular expression denial of service via crafted email string", "id": "2275106", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275106"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-1333", "details": ["Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.", "A flaw was found in Pydantic, where it did not properly validate regular expressions containing white spaces. This flaw allows remote users to cause a denial of service attack via a crafted email string."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-3772", "public_date": "2024-04-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3772\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3772"], "threat_severity": "Moderate", "upstream_fix": "python-pydantic 1.10.13, python-pydantic 2.4.0"}