#VU63704 Incorrect Regular Expression in UAParser.js


Published: 2022-05-26 | Updated: 2022-05-26

Vulnerability identifier: #VU63704

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7793

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
UAParser.js
Web applications / JS libraries

Vendor: Faisal Salman

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

UAParser.js: 0.1 - 0.7.22


CPE

External links
http://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387
http://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability