It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
References
Link | Resource |
---|---|
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first | Vendor Advisory |
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 | Release Notes Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2022.html | Not Applicable Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-01-26T20:39:56
Updated: 2022-02-07T14:41:52
Reserved: 2021-01-26T00:00:00
Link: CVE-2021-26272
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-01-26T21:15:12.923
Modified: 2022-03-01T17:18:39.243
Link: CVE-2021-26272
JSON object: View
Redhat Information
No data.
CWE