CVE-2022-21222 - OpenCVE

The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Css-what Project	Css-what

Configuration 1 [-]

cpe:2.3:a:css-what_project:css-what:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12	Broken Link Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html
https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2022-09-30T00:00:00

Updated: 2023-03-03T00:00:00

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-21222

JSON object: View

NVD Information

Status : Modified

Published: 2022-09-30T05:15:08.713

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-21222

JSON object: View

Redhat Information

No data.

CWE

CWE-1333

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:css-what_project:css-what:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "004658D4-A63D-4954-A507-A80F9C07B13D", "versionEndExcluding": "2.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function."}, {"lang": "es", "value": "El paquete css-what versiones anteriores a 2.1.3, es vulnerable a una Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular (ReDoS) debido al uso de una expresi\u00f3n regular no segura en la variable re_attr del archivo index.js. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda desencadenarse por medio de la funci\u00f3n parse"}], "id": "CVE-2022-21222", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-09-30T05:15:08.713", "references": [{"source": "report@snyk.io", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12"}, {"source": "report@snyk.io", "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}