postcss Package up to 8.2.12 lib/previous-map.js getAnnotationURL/loadAnnotation incorrect regex

Summaryinfo

A vulnerability, which was classified as critical, has been found in postcss Package up to 8.2.12. Affected by this vulnerability is the function getAnnotationURL/loadAnnotation in the library lib/previous-map.js. The manipulation leads to incorrect regex. This vulnerability is traded as CVE-2021-23382. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in postcss Package up to 8.2.12 and classified as critical. This issue affects the function getAnnotationURL/loadAnnotation in the library lib/previous-map.js. The manipulation with an unknown input leads to a incorrect regex vulnerability. Using CWE to declare the problem leads to CWE-185. The product specifies a regular expression in a way that causes data to be improperly matched or compared. Impacted is availability.

The weakness was shared 04/27/2021 as SNYK-JS-POSTCSS-1255640. It is possible to read the advisory at snyk.io. The identification of this vulnerability is CVE-2021-23382. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 8.2.13 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Name

• postcss Package

Version

• 8.2.0
• 8.2.1
• 8.2.2
• 8.2.3
• 8.2.4
• 8.2.5
• 8.2.6
• 8.2.7
• 8.2.8
• 8.2.9
• 8.2.10
• 8.2.11
• 8.2.12

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion