PT-2024-35355 · Giskard · Giskard
Kevinbackhouse
·
Published
2024-11-14
·
Updated
2024-11-21
·
CVE-2024-52524
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear |
Name of the Vulnerable Software and Affected Versions
Giskard versions prior to 2.15.5
Description
A Remote Code Execution (ReDoS) vulnerability was discovered in the Giskard component. This issue can trigger exponential regex evaluation times when processing datasets with specific text patterns, potentially leading to denial of service. The vulnerability affects Giskard's punctuation removal transformation used in the text perturbation detection, where a regex used to detect URLs and links is vulnerable to catastrophic backtracking.
Recommendations
For Giskard versions prior to 2.15.5, upgrade to version 2.15.5 or later, which includes a fix for this vulnerability. As a temporary workaround, consider restricting the use of the text perturbation detection feature until the issue is resolved. Avoid using the vulnerable regex pattern in the text perturbation detector to minimize the risk of exploitation.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Giskard