CVE-2021-27292
First published: Thu Feb 11 2021(Updated: )
A regular expression denial of service (ReDoS) vulnerability was found in the npm library `ua-parser-js`. If a supplied user agent matches the `Noble` string and contains many spaces then the regex will conduct backtracking, taking an ever increasing amount of time depending on the number of spaces supplied. An attacker can use this vulnerability to potentially craft a malicious user agent resulting in a denial of service.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ua-parser-js Project Ua-parser-js | >=0.7.14<0.7.24 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
- https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
- https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
- https://access.redhat.com/solutions/5707561
- https://access.redhat.com/errata/RHSA-2021:2438
- https://access.redhat.com/security/cve/cve-2021-27292
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/errata/RHSA-2021:3024
- https://access.redhat.com/errata/RHSA-2022:0226
- https://access.redhat.com/errata/RHSA-2022:0227
- https://access.redhat.com/errata/RHSA-2022:0230
- https://bugzilla.redhat.com/show_bug.cgi?id=1940613
- https://www.cve.org/CVERecord?id=CVE-2021-27292 https://nvd.nist.gov/vuln/detail/CVE-2021-27292 https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-27292?
CVE-2021-27292 is a regular expression denial of service (ReDoS) vulnerability in the npm library `ua-parser-js`.
How does CVE-2021-27292 impact me?
If you are using the affected version of `ua-parser-js` and a user agent matches the `Noble` string and contains many spaces, the regular expression may take an increasingly long time to process, leading to a potential denial of service.
What is the severity of CVE-2021-27292?
CVE-2021-27292 has a severity rating of 7.5, indicating a high severity.
How can I fix CVE-2021-27292?
To fix CVE-2021-27292, update `ua-parser-js` to version 0.7.24 or higher.
Where can I find more information about CVE-2021-27292?
You can find more information about CVE-2021-27292 at the following references: [GitHub Commit](https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566), [Red Hat Solution](https://access.redhat.com/solutions/5707561)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/author
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-27292
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/ua-parser-js project
- canonical/ua-parser-js project ua-parser-js
- version/ua-parser-js project ua-parser-js/0.7.14
- package-manager/redhat