CVE-2021-23343: Regular Expression Denial of Service (ReDoS)
First published: Tue May 04 2021(Updated: )
A flaw was found in nodejs-path-parse. All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-nodejs14-nodejs | <0:14.17.5-1.el7 | 0:14.17.5-1.el7 |
| redhat/rh-nodejs12-nodejs | <0:12.22.5-1.el7 | 0:12.22.5-1.el7 |
| redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-5.el7 | 0:2.0.3-5.el7 |
| redhat/ovirt-engine-ui-extensions | <0:1.2.7-1.el8e | 0:1.2.7-1.el8e |
| Path-parse Project Path-parse | <1.0.7 | |
| redhat/path-parse | <1.0.7 | 1.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-23343 https://nvd.nist.gov/vuln/detail/CVE-2021-23343 https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067
- https://bugzilla.redhat.com/show_bug.cgi?id=1956818
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/errata/RHSA-2021:3623
- https://access.redhat.com/errata/RHSA-2021:3666
- https://access.redhat.com/errata/RHSA-2021:3639
- https://access.redhat.com/errata/RHSA-2021:3638
- https://access.redhat.com/errata/RHSA-2021:3280
- https://access.redhat.com/errata/RHSA-2021:3281
- https://access.redhat.com/errata/RHSA-2021:2865
- https://access.redhat.com/errata/RHSA-2021:4902
- https://access.redhat.com/security/cve/cve-2021-23343
- https://github.com/jbgutierrez/path-parse/issues/8
- https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028
- https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1956819
- https://exchange.xforce.ibmcloud.com/vulnerabilities/201206
- https://www.ibm.com/support/pages/node/6507095 (Advisory)
- https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85%40%3Cdev.myfaces.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
CVE-2021-23343
What is the severity of CVE-2021-23343?
The severity of CVE-2021-23343 is medium with a CVSS score of 5.3.
Which software versions are affected by CVE-2021-23343?
All versions up to and including 1.0.7 of the path-parse package are affected. Additionally, versions 0:14.17.5-1.el7 and 0:12.22.5-1.el7 of rh-nodejs14-nodejs and rh-nodejs12-nodejs respectively are also affected.
How can an attacker exploit CVE-2021-23343?
An attacker can exploit CVE-2021-23343 by sending a specially-crafted request via certain regular expressions, causing a regular expression denial of service (ReDoS).
How can CVE-2021-23343 be fixed?
To fix CVE-2021-23343, it is recommended to update the path-parse package to version 1.0.8 or later. For rh-nodejs14-nodejs and rh-nodejs12-nodejs, update to versions 0:14.17.6-1.el7 and 0:12.22.6-1.el7 respectively.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23343
- agent/software-canonical-lookup
- agent/description
- collector/ibm-support
- source/IBM
- agent/softwarecombine
- agent/references
- agent/title
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- package-manager/redhat
- vendor/path-parse project
- canonical/path-parse project path-parse