CVE-2021-27292 - Vulnerability Details

- nodejs-ua-parser-js: ReDoS via malicious User-Agent header

Description

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Published: 2021-03-17

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:ua-parser-js_project:ua-parser-js:*:*:*:*:*:node.js:*:*

Package	CPE	Advisory	Released Date
OpenShift Logging 5.1
openshift-logging/kibana6-rhel8:v6.8.1-108	cpe:/a:redhat:logging:5.1::el8	RHSA-2022:0226	2022-01-20T00:00:00Z
OpenShift Logging 5.2
openshift-logging/kibana6-rhel8:v6.8.1-110	cpe:/a:redhat:logging:5.2::el8	RHSA-2022:0230	2022-01-21T00:00:00Z
OpenShift Logging 5.3
openshift-logging/kibana6-rhel8:v6.8.1-109	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:0227	2022-01-20T00:00:00Z
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
rhacm2/acm-grafana-rhel8:v2.3.0-38	cpe:/a:redhat:acm:2.3::el8	RHSA-2021:3016	2021-08-06T00:00:00Z
Red Hat OpenShift Container Platform 4.8
openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:2438	2021-07-27T00:00:00Z
Red Hat OpenShift Jaeger 1.24
distributed-tracing/jaeger-agent-rhel8:1.24.0-9	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-all-in-one-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-collector-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-es-index-cleaner-rhel8:1.24.0-10	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-es-rollover-rhel8:1.24.0-14	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-ingester-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-query-rhel8:1.24.0-9	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-rhel8-operator:1.24.0-16	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-0991	ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Github GHSA	GHSA-78cj-fxph-m83p	Regular Expression Denial of Service (ReDoS) in ua-parser-js

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00266.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
https://nvd.nist.gov/vuln/detail/CVE-2021-27292
https://www.cve.org/CVERecord?id=CVE-2021-27292

History

No history.

Subscriptions

Redhat Acm Jaeger Logging Openshift

Ua-parser-js Project Ua-parser-js

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-17T12:34:48.000Z

Updated: 2024-08-03T20:48:16.474Z

Reserved: 2021-02-16T00:00:00.000Z

Link: CVE-2021-27292

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-17T13:15:15.200

Modified: 2024-11-21T05:57:45.830

Link: CVE-2021-27292

Redhat

Severity : Moderate

Publid Date: 2021-02-11T00:00:00Z

Links: CVE-2021-27292 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object