Vulnerabilites related to css-what_project - css-what
Vulnerability from fkie_nvd
Published
2021-05-28 20:15
Modified
2024-11-21 06:09
Severity ?
Summary
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/fb55/css-what/releases/tag/v5.0.1 | Patch, Release Notes, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html | ||
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20210706-0007/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/fb55/css-what/releases/tag/v5.0.1 | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210706-0007/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| css-what_project | css-what | 4.0.0 | |
| css-what_project | css-what | 5.0.0 | |
| netapp | e-series_performance_analyzer | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:css-what_project:css-what:4.0.0:*:*:*:*:node.js:*:*", matchCriteriaId: "5BEE51B0-F2BB-43D6-AF8D-17D94E599014", vulnerable: true, }, { criteria: "cpe:2.3:a:css-what_project:css-what:5.0.0:*:*:*:*:node.js:*:*", matchCriteriaId: "E2F67046-07B3-4FC4-9B28-ED197CF16A25", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*", matchCriteriaId: "24B8DB06-590A-4008-B0AB-FCD1401C77C6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.", }, { lang: "es", value: "El paquete css-what versión 4.0.0 hasta la versión 5.0.0 para Node.js no asegura que el análisis sintáctico de atributos tenga una complejidad de tiempo lineal en relación con el tamaño de la entrada", }, ], id: "CVE-2021-33587", lastModified: "2024-11-21T06:09:08.927", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-28T20:15:07.733", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/fb55/css-what/releases/tag/v5.0.1", }, { source: "cve@mitre.org", url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210706-0007/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/fb55/css-what/releases/tag/v5.0.1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210706-0007/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-30 05:15
Modified
2024-11-21 06:44
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| css-what_project | css-what | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:css-what_project:css-what:*:*:*:*:*:node.js:*:*", matchCriteriaId: "004658D4-A63D-4954-A507-A80F9C07B13D", versionEndExcluding: "2.1.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.", }, { lang: "es", value: "El paquete css-what versiones anteriores a 2.1.3, es vulnerable a una Denegación de Servicio por Expresión Regular (ReDoS) debido al uso de una expresión regular no segura en la variable re_attr del archivo index.js. La explotación de esta vulnerabilidad podría desencadenarse por medio de la función parse", }, ], id: "CVE-2022-21222", lastModified: "2024-11-21T06:44:08.667", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "report@snyk.io", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-30T05:15:08.713", references: [ { source: "report@snyk.io", tags: [ "Broken Link", "Third Party Advisory", ], url: "https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12", }, { source: "report@snyk.io", url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", }, { source: "report@snyk.io", tags: [ "Exploit", "Third Party Advisory", ], url: "https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", ], url: "https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488", }, ], sourceIdentifier: "report@snyk.io", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1333", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2021-33587
Vulnerability from cvelistv5
Published
2021-05-28 00:00
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:50:43.024Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/fb55/css-what/releases/tag/v5.0.1", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210706-0007/", }, { name: "[debian-lts-announce] 20230303 [SECURITY] [DLA 3350-1] node-css-what security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-03-03T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/fb55/css-what/releases/tag/v5.0.1", }, { url: "https://security.netapp.com/advisory/ntap-20210706-0007/", }, { name: "[debian-lts-announce] 20230303 [SECURITY] [DLA 3350-1] node-css-what security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-33587", datePublished: "2021-05-28T00:00:00", dateReserved: "2021-05-27T00:00:00", dateUpdated: "2024-08-03T23:50:43.024Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-21222
Vulnerability from cvelistv5
Published
2022-09-30 05:05
Modified
2024-09-17 00:31
Severity ?
EPSS score ?
Summary
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T02:31:59.016Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488", }, { tags: [ "x_transferred", ], url: "https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12", }, { name: "[debian-lts-announce] 20230303 [SECURITY] [DLA 3350-1] node-css-what security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "css-what", vendor: "n/a", versions: [ { lessThan: "2.1.3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Snyk Research Team", }, ], datePublic: "2022-09-30T00:00:00", descriptions: [ { lang: "en", value: "The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", exploitCodeMaturity: "PROOF_OF_CONCEPT", integrityImpact: "NONE", privilegesRequired: "NONE", remediationLevel: "NOT_DEFINED", reportConfidence: "NOT_DEFINED", scope: "UNCHANGED", temporalScore: 5, temporalSeverity: "MEDIUM", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Regular Expression Denial of Service (ReDoS)", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-03-03T00:00:00", orgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", shortName: "snyk", }, references: [ { url: "https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488", }, { url: "https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12", }, { name: "[debian-lts-announce] 20230303 [SECURITY] [DLA 3350-1] node-css-what security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html", }, ], title: "Regular Expression Denial of Service (ReDoS)", }, }, cveMetadata: { assignerOrgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", assignerShortName: "snyk", cveId: "CVE-2022-21222", datePublished: "2022-09-30T05:05:11.059417Z", dateReserved: "2022-02-24T00:00:00", dateUpdated: "2024-09-17T00:31:50.814Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }