#VU36063 Input validation error in highcharts


Published: 2019-03-14 | Updated: 2020-08-08

Vulnerability identifier: #VU36063

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20801

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
highcharts
Web applications / JS libraries

Vendor: highcharts

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS.

Mitigation
Install update from vendor's website.

Vulnerable software versions

highcharts: 6.0.0 - 6.0.7

External links
http://github.com/highcharts/highcharts/commit/7c547e1e0f5e4379f94396efd559a566668c0dfa
http://security.netapp.com/advisory/ntap-20190715-0001/
http://snyk.io/vuln/npm:highcharts:20180225

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar Advisor With Watson App for IBM QRadar SIEM
Multiple vulnerabilities in API Gateway and API Manager
Input validation error in highcharts