Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: MED] Regular Expression Denial of Service with ua-parser-js (due 4/18/21) #4392

Closed
lbeaufort opened this issue Feb 17, 2021 · 0 comments · Fixed by #4508
Closed

[Snyk: MED] Regular Expression Denial of Service with ua-parser-js (due 4/18/21) #4392

lbeaufort opened this issue Feb 17, 2021 · 0 comments · Fixed by #4508
Assignees
@rfultz
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 14.3

Comments

@lbeaufort
Copy link
Member

Regular Expression Denial of Service (ReDoS)

Vulnerable module: ua-parser-js
Introduced through: draft-js@0.11.7
Exploit maturity: No known exploit
Fixed in: 0.7.24
Detailed paths
Introduced through: fec-cms@1.0.0 › draft-js@0.11.7 › fbjs@2.0.0 › ua-parser-js@0.7.22
Remediation: Your dependencies are out of date, otherwise you would be using a newer ua-parser-js than ua-parser-js@0.7.22. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Overview
ua-parser-js is a lightweight JavaScript-based user-agent string parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Within src/ua-parser.js, the browser regex is vulnerable to exponential backtracking.
@lbeaufort lbeaufort added the Security: moderate Remediate within 60 days label Feb 17, 2021
@lbeaufort lbeaufort added this to the Sprint 14.3 milestone Feb 17, 2021
@lbeaufort lbeaufort mentioned this issue Feb 17, 2021
Closed
1 task
@patphongs patphongs mentioned this issue Feb 24, 2021
Closed
@hcaofec hcaofec mentioned this issue Mar 3, 2021
Closed
1 task
@patphongs patphongs mentioned this issue Mar 10, 2021
Closed
@lbeaufort lbeaufort mentioned this issue Mar 17, 2021
Closed
1 task
@rfultz rfultz self-assigned this Mar 23, 2021
@rfultz rfultz mentioned this issue Mar 23, 2021
Merged
@pkfec pkfec mentioned this issue Mar 24, 2021
Closed
@johnnyporkchops johnnyporkchops changed the title [Snyk: Med] Regular Expression Denial of Service with ua-parser-js (due 4/18/21) [Snyk: HIGH] Regular Expression Denial of Service with ua-parser-js (due 4/18/21) Mar 30, 2021
@johnnyporkchops johnnyporkchops changed the title [Snyk: HIGH] Regular Expression Denial of Service with ua-parser-js (due 4/18/21) [Snyk: MED] Regular Expression Denial of Service with ua-parser-js (due 4/18/21) Mar 30, 2021
@johnnyporkchops johnnyporkchops mentioned this issue Mar 30, 2021
Closed
1 task
@pkfec pkfec mentioned this issue Apr 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfultz rfultz

Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 14.3
Development

Successfully merging a pull request may close this issue.

Upgrade ua-parser-js fecgov/fec-cms
2 participants
@rfultz @lbeaufort