Resource exhaustion in uap-core

#VU25628 Resource exhaustion in uap-core

Published: 2020-02-26

Vulnerability identifier: #VU25628

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5243

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
uap-core
Web applications / Modules and components for CMS

Vendor: ua-parser

Description

The vulnerability allows a remote attacker to perform a regular expression denial of service (REDoS).

The vulnerability exists due to overlapping capture groups when processing crafted User-Agent strings. A remote attacker can overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings, trigger resource exhaustion and perform a regular expression denial of service (REDoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

uap-core: 0.1.0 - 0.7.2

External links
http://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1
http://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Regular Expression Denial of Service (ReDoS) in uap-core