Description

Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Remediation

References

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321

https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044

https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos

Related Vulnerabilities

CVE-2023-29216 Vulnerability in maven package org.apache.linkis:linkis-engineplugin-jdbc

CVE-2020-7596 Vulnerability in npm package codecov

CVE-2020-7677 Vulnerability in maven package org.webjars.npm:thenify

CVE-2020-36179 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2017-7660 Vulnerability in maven package org.apache.solr:solr-core

Severity

Medium

Classification

CWE-1333 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Tags

Mailing List Third Party Advisory Exploit