Description

Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Remediation

References

https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos

https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/

Related Vulnerabilities

CVE-2023-46604 Vulnerability in maven package org.apache.activemq:activemq-client

CVE-2023-35155 Vulnerability in maven package org.xwiki.platform:xwiki-platform-sharepage-api

CVE-2022-4135 Vulnerability in npm package electron

CVE-2021-32854 Vulnerability in maven package org.webjars.bower:textangular

CVE-2020-7767 Vulnerability in npm package express-validators

Severity

Medium

Classification

CWE-1333 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Tags

Exploit Third Party Advisory Mailing List