{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45813", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-09T14:23:07.505Z", "datePublished": "2024-09-18T16:47:57.138Z", "dateUpdated": "2024-09-18T18:07:10.935Z"}, "containers": {"cna": {"title": "ReDoS vulnerability in multiparametric routes in find-my-way", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6"}, {"name": "https://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440", "tags": ["x_refsource_MISC"], "url": "https://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440"}, {"name": "https://blakeembrey.com/posts/2024-09-web-redos", "tags": ["x_refsource_MISC"], "url": "https://blakeembrey.com/posts/2024-09-web-redos"}], "affected": [{"vendor": "delvedor", "product": "find-my-way", "versions": [{"version": "< 8.2.2", "status": "affected"}, {"version": "= 9.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-18T16:47:57.138Z"}, "descriptions": [{"lang": "en", "value": "find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue."}], "source": {"advisory": "GHSA-rrr8-f88r-h8q6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T18:07:01.965848Z", "id": "CVE-2024-45813", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T18:07:10.935Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T18:07:01.965848Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T18:07:07.246Z"}}], "cna": {"title": "ReDoS vulnerability in multiparametric routes in find-my-way", "source": {"advisory": "GHSA-rrr8-f88r-h8q6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "delvedor", "product": "find-my-way", "versions": [{"status": "affected", "version": "< 8.2.2"}, {"status": "affected", "version": "= 9.0.0"}]}], "references": [{"url": "https://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6", "name": "https://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440", "name": "https://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440", "tags": ["x_refsource_MISC"]}, {"url": "https://blakeembrey.com/posts/2024-09-web-redos", "name": "https://blakeembrey.com/posts/2024-09-web-redos", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-18T16:47:57.138Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45813", "state": "PUBLISHED", "dateUpdated": "2024-09-18T18:07:10.935Z", "dateReserved": "2024-09-09T14:23:07.505Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-18T16:47:57.138Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue."}, {"lang": "es", "value": "find-my-way es un enrutador HTTP r\u00e1pido y de c\u00f3digo abierto que utiliza internamente un \u00e1rbol de base (tambi\u00e9n conocido como \u00e1rbol de prefijos compacto), admite par\u00e1metros de ruta, comodines y es independiente del framework de trabajo. Se genera una expresi\u00f3n regular incorrecta cada vez que se tienen dos par\u00e1metros dentro de un solo segmento, al agregar un `-` al final, como `/:a-:b-`. Esto puede causar una denegaci\u00f3n de servicio en algunos casos. Se recomienda a los usuarios que actualicen find-my-way a v8.2.2 o v9.0.1 o versiones posteriores. No se conocen workarounds para este problema."}], "id": "CVE-2024-45813", "lastModified": "2024-09-20T12:30:17.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-18T17:15:19.163", "references": [{"source": "security-advisories@github.com", "url": "https://blakeembrey.com/posts/2024-09-web-redos"}, {"source": "security-advisories@github.com", "url": "https://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440"}, {"source": "security-advisories@github.com", "url": "https://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "find-my-way: ReDoS vulnerability in multiparametric routes", "id": "2313383", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313383"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1333", "details": ["find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.", "A regular expression denial of service (ReDoS) flaw was found in find-my-way. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, such as `/:a-:b-`. This issue may cause a denial of service in some instances."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45813", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/console-mce-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/multicluster-engine-console-mce-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-dashboard-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2024-09-18T17:15:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45813\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45813\nhttps://blakeembrey.com/posts/2024-09-web-redos\nhttps://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440\nhttps://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6"], "threat_severity": "Moderate"}