The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"fixed": "1.0"
}
],
"vendor_product": "siemens:sinec_ins",
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*",
"cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*"
],
"vendor_product": "siemens:sinec_ins",
"extracted_events": [
{
"introduced": "1.0-NA"
},
{
"last_affected": "1.0-NA"
},
{
"introduced": "1.0-sp1"
},
{
"last_affected": "1.0-sp1"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": "cpe:2.3:a:ua-parser-js_project:ua-parser-js:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "0.7.23"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}