PT-2021-15447 · Unknown+5 · Parse-Path+5

Yeting Li

·

Published

2021-05-04

·

Updated

2022-05-17

·

CVE-2021-23343

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions path-parse versions all
Description The issue is related to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Recommendations For all versions, consider disabling the use of splitDeviceRe, splitTailRe, and splitPathRe regular expressions as a temporary workaround until a patch is available. Restrict the use of these regular expressions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2021:3623
ALSA-2021:3666
CESA-2021_3623
CESA-2021_3666
CVE-2021-23343
GHSA-HJ48-42VR-X3V9
OESA-2021-1262
OPENSUSE-SU-2022:0657-1
OPENSUSE-SU-2022:0704-1
OPENSUSE-SU-2022:0715-1
OPENSUSE-SU-2022_0657-1
OPENSUSE-SU-2022_0704-1
OPENSUSE-SU-2022_0715-1
OPENSUSE-SU-2022_1717-1
RHSA-2021:2865
RHSA-2021:3280
RHSA-2021:3281
RHSA-2021:3623
RHSA-2021:3638
RHSA-2021:3639
RHSA-2021:3666
RHSA-2021_3623
RHSA-2021_3666
RLSA-2021:3623
RLSA-2021:3666
SNYK-JAVA-ORGWEBJARSNPM-1279028
SNYK-JS-PATHPARSE-1077067
SUSE-SU-2022:0531-1
SUSE-SU-2022:0563-1
SUSE-SU-2022:0569-1
SUSE-SU-2022:0570-1
SUSE-SU-2022:0657-1
SUSE-SU-2022:0704-1
SUSE-SU-2022:0715-1
SUSE-SU-2022:1717-1
SUSE-SU-2022_0531-1
SUSE-SU-2022_0563-1
SUSE-SU-2022_0569-1
SUSE-SU-2022_0570-1
SUSE-SU-2022_0657-1
SUSE-SU-2022_0704-1
SUSE-SU-2022_0715-1
SUSE-SU-2022_1717-1

Affected Products

Almalinux
Centos
Red Hat
Rocky Linux
Suse
Parse-Path