PT-2021-5825 · Unknown+8 · Hosted-Git-Info+8
Yeting Li
·
Published
2021-03-23
·
Updated
2023-08-08
·
CVE-2021-23362
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
hosted-git-info versions prior to 3.0.8
Description
The issue is related to a Regular Expression Denial of Service (ReDoS) in the
fromUrl function in index.js. This occurs due to the shortcutMatch regular expression, which exhibits polynomial worst-case time complexity. The vulnerability can be exploited by a remote attacker to cause a denial of service.Recommendations
For versions prior to 3.0.8, update to version 3.0.8 or later to resolve the issue. As a temporary workaround, consider disabling the
fromUrl function until a patch is available. Restrict access to the index.js file to minimize the risk of exploitation. Avoid using the shortcutMatch regular expression in the affected API endpoint until the issue is resolved.Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Hosted-Git-Info