VDB-218452 · CVE-2022-4891 · ID 244

Sisimai fino 4.25.14p11 lib/sisimai/string.rb to_plain denial of service

In Sisimai fino 4.25.14p11 è stata rilevato un punto critico di livello problematico. Riguarda la funzione to_plain del file lib/sisimai/string.rb. Mediante la manipolazione di un input sconosciuto conseguenza di una vulerabilità di classe denial of service. L'advisory è scaricabile da github.com. Questo punto di criticità è identificato come CVE-2022-4891. L'attuazione dell'attacco deve avvenire localmente. I dettagli tecnici sono conosciuti. È stato dichiarato come proof-of-concept. L'exploit è scaricabile da gist.githubusercontent.com. L'aggiornamento alla versione 4.25.14p12 elimina questa vulnerabilità. L'aggiornamento è scaricabile da github.com. Il bugfix è scaricabile da github.com. Il miglior modo suggerito per attenuare il problema è aggiornamento all'ultima versione. Una possibile soluzione è stata pubblicata già prima e non dopo la pubblicazione della vulnerabilità.

Campo	16/01/2023 19:49	09/02/2023 08:34	09/02/2023 08:36
name	Sisimai	Sisimai	Sisimai
version	<=4.25.14p11	<=4.25.14p11	<=4.25.14p11
file	lib/sisimai/string.rb	lib/sisimai/string.rb	lib/sisimai/string.rb
function	to_plain	to_plain	to_plain
cwe	1333 (denial of service)	1333 (denial of service)	1333 (denial of service)
risk	1	1	1
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	N	N	N
cvss3_vuldb_i	N	N	N
cvss3_vuldb_a	L	L	L
cvss3_vuldb_e	P	P	P
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
identifier	244	244	244
url	https://github.com/sisimai/rb-sisimai/pull/244	https://github.com/sisimai/rb-sisimai/pull/244	https://github.com/sisimai/rb-sisimai/pull/244
availability	1	1	1
publicity	1	1	1
url	https://gist.githubusercontent.com/gmcabrita/e5dc0332473fc2e3a7a407434c8d21c7/raw/00b12035e5e1b685469f143b94301a50306376ba/example.html	https://gist.githubusercontent.com/gmcabrita/e5dc0332473fc2e3a7a407434c8d21c7/raw/00b12035e5e1b685469f143b94301a50306376ba/example.html	https://gist.githubusercontent.com/gmcabrita/e5dc0332473fc2e3a7a407434c8d21c7/raw/00b12035e5e1b685469f143b94301a50306376ba/example.html
name	Upgrade	Upgrade	Upgrade
upgrade_version	4.25.14p12	4.25.14p12	4.25.14p12
upgrade_url	https://github.com/sisimai/rb-sisimai/releases/tag/v4.25.14p12	https://github.com/sisimai/rb-sisimai/releases/tag/v4.25.14p12	https://github.com/sisimai/rb-sisimai/releases/tag/v4.25.14p12
patch_name	51fe2e6521c9c02b421b383943dc9e4bbbe65d4e	51fe2e6521c9c02b421b383943dc9e4bbbe65d4e	51fe2e6521c9c02b421b383943dc9e4bbbe65d4e
patch_url	https://github.com/sisimai/rb-sisimai/commit/51fe2e6521c9c02b421b383943dc9e4bbbe65d4e	https://github.com/sisimai/rb-sisimai/commit/51fe2e6521c9c02b421b383943dc9e4bbbe65d4e	https://github.com/sisimai/rb-sisimai/commit/51fe2e6521c9c02b421b383943dc9e4bbbe65d4e
advisoryquote	Prevent Regex Denial of Service in Sisimai::String.to_plain	Prevent Regex Denial of Service in Sisimai::String.to_plain	Prevent Regex Denial of Service in Sisimai::String.to_plain
cve	CVE-2022-4891	CVE-2022-4891	CVE-2022-4891
responsible	VulDB	VulDB	VulDB
date	1673823600 (16/01/2023)	1673823600 (16/01/2023)	1673823600 (16/01/2023)
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	N	N	N
cvss2_vuldb_ii	N	N	N
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_e	POC	POC	POC
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_av	A	A	A
cvss2_vuldb_au	S	S	S
cvss3_vuldb_av	A	A	A
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_ui	N	N	N
cvss2_vuldb_basescore	2.7	2.7	2.7
cvss2_vuldb_tempscore	2.1	2.1	2.1
cvss3_vuldb_basescore	3.5	3.5	3.5
cvss3_vuldb_tempscore	3.2	3.2	3.2
cvss3_meta_basescore	3.5	3.5	4.8
cvss3_meta_tempscore	3.2	3.2	4.7
price_0day	$0-$5k	$0-$5k	$0-$5k
cve_assigned		1673823600 (16/01/2023)	1673823600 (16/01/2023)
cve_nvd_summary		A vulnerability has been found in Sisimai up to 4.25.14p11 and classified as problematic. This vulnerability affects the function to_plain of the file lib/sisimai/string.rb. The manipulation leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. Upgrading to version 4.25.14p12 is able to address this issue. The name of the patch is 51fe2e6521c9c02b421b383943dc9e4bbbe65d4e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218452.	A vulnerability has been found in Sisimai up to 4.25.14p11 and classified as problematic. This vulnerability affects the function to_plain of the file lib/sisimai/string.rb. The manipulation leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. Upgrading to version 4.25.14p12 is able to address this issue. The name of the patch is 51fe2e6521c9c02b421b383943dc9e4bbbe65d4e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218452.
cvss3_nvd_av			N
cvss3_nvd_ac			L
cvss3_nvd_pr			N
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			N
cvss3_nvd_i			N
cvss3_nvd_a			H
cvss2_nvd_av			A
cvss2_nvd_ac			L
cvss2_nvd_au			S
cvss2_nvd_ci			N
cvss2_nvd_ii			N
cvss2_nvd_ai			P
cvss3_cna_av			A
cvss3_cna_ac			L
cvss3_cna_pr			L
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			N
cvss3_cna_i			N
cvss3_cna_a			L
cve_cna			VulDB
cvss2_nvd_basescore			2.7
cvss3_nvd_basescore			7.5
cvss3_cna_basescore			3.5

◂ Precedente Visione D'insieme Il prossimo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!