GHSA-c33w-24p9-8m24

Source

https://github.com/advisories/GHSA-c33w-24p9-8m24

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-c33w-24p9-8m24/GHSA-c33w-24p9-8m24.json

Aliases

CVE-2023-26112

Published

2023-04-03T06:30:19Z

Modified

2024-02-18T05:29:13.278368Z

Details

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.*)). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-26112
https://github.com/DiffSK/configobj/issues/232
https://github.com/DiffSK/configobj
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BO4RLMYEJODCNUE3DJIIUUFVTPAG6VN
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK
https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494

Affected packages

PyPI / configobj

Package

Name: configobj

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Last affected

5.0.8

Affected versions

4.*

4.4.0

4.5.0

4.5.1

4.5.2

4.5.3

4.6.0

4.7.0

4.7.1

4.7.2

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8