Incorrect Regular Expression in CKEditor

#VU61427 Incorrect Regular Expression in CKEditor

Published: 2022-03-17

Vulnerability identifier: #VU61427

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24729

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CKEditor
Web applications / JS libraries

Vendor: CKSource

Description

The vulnerability allows a remote attacker to perform regular expression denial of service attack.

The vulnerability exists due to improper input validation in CKEditor 4 dialog plugin. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

CKEditor: 4.0 basic - 4.17.2

External links
http://ckeditor.com/cke4/release/CKEditor-4.18.0
http://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA

Multiple vulnerabilities in IBM OpenPages with Watson

Multiple vulnerabilities in IBM Cognos Analytics

Multiple vulnerabilities in Oracle Commerce Guided Search

Multiple vulnerabilities in IBM Planning Analytics Workspace

Multiple vulnerabilities in IBM Sterling B2B Integrator

Multiple vulnerabilities in Oracle Application Express

Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition

Multiple vulnerabilities in Oracle WebCenter Portal

Multiple vulnerabilities in Oracle WebCenter Sites