CVE-2021-43843

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-43843
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43843.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-43843
Aliases
Related
Published
2021-12-20T22:15:07Z
Modified
2025-01-15T02:08:35.456783Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into <blockquote> tag with including multibyte characters, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in <blockquote> with multibyte characters.

References

Affected packages

Git / github.com/yhatt/jsx-slack

Affected ranges

Type
GIT
Repo
https://github.com/yhatt/jsx-slack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v0.*

v0.1.0
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.11.1
v0.12.0
v0.2.0
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.1
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.9.0
v0.9.1
v0.9.2

v1.*

v1.0.0
v1.1.0
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.5.0
v1.5.1
v1.6.0
v1.7.0

v2.*

v2.0.0
v2.0.0-alpha.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-beta.0
v2.0.0-beta.1
v2.0.0-beta.2
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.4.0
v2.5.0
v2.5.1
v2.6.0

v3.*

v3.0.0

v4.*

v4.0.0
v4.1.0
v4.2.0
v4.2.1
v4.3.0
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.1