CVE-2021-23364

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

CVSS v3.0 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182	Exploit Patch Third Party Advisory
https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98	Patch Third Party Advisory
https://github.com/browserslist/browserslist/pull/593	Third Party Advisory
https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474	Broken Link
https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194	Exploit Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:browserslist_project:browserslist:*:*:*:*:*:node.js:*:*

Information

Published : 2021-04-28 09:15

Updated : 2021-05-05 13:15

NVD link : CVE-2021-23364

Mitre link : CVE-2021-23364

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

browserslist_project

browserslist

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182", "name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182", "tags": ["Exploit", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98", "name": "https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/browserslist/browserslist/pull/593", "name": "https://github.com/browserslist/browserslist/pull/593", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474", "name": "https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474", "tags": ["Broken Link"], "refsource": "MISC"}, {"url": "https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194", "name": "https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194", "tags": ["Exploit", "Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-23364", "ASSIGNER": "report@snyk.io"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}}, "publishedDate": "2021-04-28T16:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:browserslist_project:browserslist:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "4.16.5", "versionStartIncluding": "4.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-05-05T20:15Z"}