Woorank robots-txt-guard lib/patterns.js makePathPattern redos

A vulnerability was found in Woorank robots-txt-guard (version unknown). It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern with an unknown input leads to a redos vulnerability. Using CWE to declare the problem leads to CWE-1333. The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Impacted is availability.

The weakness was presented 01/05/2023. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2021-4305. Technical details as well as a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1449.003.

The exploit is available at github.com. It is declared as proof-of-concept.

Applying the patch c03827cd2f9933619c23894ce7c98401ea824020 is able to eliminate this problem. The bugfix is ready for download at github.com.

Productinfo

Vendor

Name

License

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 4.8
VulDB Meta Temp Score: 4.7

VulDB Base Score: 3.5
VulDB Temp Score: 3.2
VulDB Vector: 🔍
VulDB Reliability: 🔍

NVD Base Score: 7.5
NVD Vector: 🔍

CNA Base Score: 3.5
CNA Vector (VulDB): 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Class: Redos
CWE: CWE-1333 / CWE-400 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍

Local: No
Remote: Partially

Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-Dayunlockunlockunlockunlock
Todayunlockunlockunlockunlock

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Patch
Status: 🔍

0-Day Time: 🔍

Patch: c03827cd2f9933619c23894ce7c98401ea824020

Timelineinfo

01/05/2023 🔍
01/05/2023 +0 days 🔍
01/05/2023 +0 days 🔍
01/28/2023 +23 days 🔍

Sourcesinfo

Advisory: c03827cd2f9933619c23894ce7c98401ea824020
Status: Confirmed

CVE: CVE-2021-4305 (🔍)
GCVE (CVE): GCVE-0-2021-4305
GCVE (VulDB): GCVE-100-217448
scip Labs: https://www.scip.ch/en/?labs.20161013

Entryinfo

Created: 01/05/2023 11:08
Updated: 01/28/2023 15:36
Changes: 01/05/2023 11:08 (44), 01/28/2023 15:31 (3), 01/28/2023 15:36 (28)
Complete: 🔍
Cache ID: 152:AC2:65

Discussion

No comments yet. Languages: en.

Please log in to comment.

Do you know our Splunk app?

Download it now for free!