CVE-2020-5243

Name of the Vulnerable Software and Affected Versions uap-core versions prior to 0.7.3

Description The issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is due to some regexes being vulnerable to regular expression denial of service (REDoS) because of overlapping capture groups. Each vulnerable regular expression contains 3 overlapping capture groups, and backtracking has approximately cubic time complexity with respect to the length of the user-agent string.

Recommendations Update uap-core to version 0.7.3 or later to resolve the issue. As a temporary workaround, consider restricting the length of the User-Agent header in HTTP(S) requests to prevent exploitation. Additionally, disabling or restricting the use of the vulnerable regexes can help minimize the risk of exploitation until a patch is applied.