GHSA-pcqq-5962-hvcw

Source

https://github.com/advisories/GHSA-pcqq-5962-hvcw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-pcqq-5962-hvcw/GHSA-pcqq-5962-hvcw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pcqq-5962-hvcw

Published

2020-03-10T18:02:49Z

Modified

2024-12-02T05:47:40.883263Z

Summary

Denial of Service in uap-core when processing crafted User-Agent strings

Details

Impact

Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.

Patches

Please update uap-ruby to >= v2.6.0

For more information

https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p

Reported in uap-core by Ben Caller @bcaller

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-10T16:48:58Z"
}

References

Affected packages

RubyGems / user_agent_parser

Package

Name: user_agent_parser
Purl: pkg:gem/user_agent_parser

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.0

Affected versions

0.*

0.1.0

0.1.1

0.1.2

1.*

1.0.0

1.0.1

1.0.2

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2.0

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.5.3