CVE-2021-43843

Published: Dic 20, 2021 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2022-0618 Aliases: GHSA-hp68-xhvj-x6j6
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: low
MEDIUM 5,0
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: none
Confidentiality: none
Integrity: none
Availability: partial

Description

AI Translation Available

jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0056
Percentile
0,7th
Updated

EPSS Score Trend (Last 91 Days)

400

Uncontrolled Resource Consumption

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Access Control Other
Potential Impacts:
Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Bypass Protection Mechanism Other
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
1333

Inefficient Regular Expression Complexity

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Resource Consumption (Cpu)
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
Application

Jsx-Slack by Jsx-Slack Project

Product Information
Vendor Jsx-Slack Project
Product Jsx-Slack
Version Range Affected
To 4.5.2 (exclusive)
cpe:2.3:a:jsx-slack_project:jsx-slack:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda…
Patch Third Party Advisory
https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29…
https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2
Release Notes Third Party Advisory
https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2
https://github.com/yhatt/jsx-slack/security/advisories/GHSA…
Exploit Patch Third Party Advisory
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q
https://github.com/yhatt/jsx-slack/security/advisories/GHSA…
Exploit Patch Third Party Advisory
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6
https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda…
Patch Third Party Advisory
https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29…
https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2
Release Notes Third Party Advisory
https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2
https://github.com/yhatt/jsx-slack/security/advisories/GHSA…
Exploit Patch Third Party Advisory
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q
https://github.com/yhatt/jsx-slack/security/advisories/GHSA…
Exploit Patch Third Party Advisory
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6