CVE-2017-20162

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

CVSS v3.0 5.3 MEDIUM

5.3^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/ms/releases/tag/2.0.0	Patch Release Notes Third Party Advisory
https://vuldb.com/?ctiid.217451	Permissions Required Third Party Advisory
https://github.com/vercel/ms/pull/89	Exploit Issue Tracking Patch Third Party Advisory
https://vuldb.com/?id.217451	Permissions Required Third Party Advisory
https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662	Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:vercel:ms:*:*:*:*:*:node.js:*:*

Information

Published : 2023-01-05 04:15

Updated : 2023-01-11 11:29

NVD link : CVE-2017-20162

Mitre link : CVE-2017-20162

JSON object : View

CWE

CWE-1333

Inefficient Regular Expression Complexity

Advertisement

Products Affected

vercel

ms

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/vercel/ms/releases/tag/2.0.0", "name": "https://github.com/vercel/ms/releases/tag/2.0.0", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://vuldb.com/?ctiid.217451", "name": "https://vuldb.com/?ctiid.217451", "tags": ["Permissions Required", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/vercel/ms/pull/89", "name": "https://github.com/vercel/ms/pull/89", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://vuldb.com/?id.217451", "name": "https://vuldb.com/?id.217451", "tags": ["Permissions Required", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662", "name": "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-1333"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2017-20162", "ASSIGNER": "cna@vuldb.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}}, "publishedDate": "2023-01-05T12:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:vercel:ms:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-01-11T19:29Z"}