PT-2021-4017 · Prism · Prism

Published

2021-06-28

Updated

2022-03-28

CVE-2021-32723

CVSS v3.1

7.4

High

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Prism versions prior to 1.24.0

Description The issue is related to Regular Expression Denial of Service (ReDoS) in some languages when Prism is used to highlight untrusted text. An attacker can craft a string that will take a very long time to highlight, potentially causing a denial of service. This problem can be exploited when Prism is used to highlight user-given text. As a workaround, it is recommended not to use ASCIIDoc or ERB to highlight untrusted text, as other languages are not affected and can be used safely.

Recommendations For versions prior to 1.24.0, update to Prism v1.24 to fix the issue. As a temporary workaround, consider not using ASCIIDoc or ERB to highlight untrusted text until the issue is resolved. Restrict the use of affected languages to minimize the risk of exploitation.

Fix

DoS

Improper Resource Release

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-404CWE-400

Related Identifiers

BDU:2021-04543

CVE-2021-32723

GHSA-GJ77-59WH-66HG

Affected Products

Prism

PT-2021-4017 · Prism · Prism

CVE-2021-32723

Weakness Enumeration

Related Identifiers

Affected Products

References · 15