CVE-2020-5243

Denial of Service in uap-core when processing crafted User-Agent strings

CVSS 5.7 MEDIUMEPSS 2.2%CWE-20

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.7EPSS 2.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

20 feb 2020Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Productos afectados

ua-parser · uap-core

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1 https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p