CVE-2023-26115 - OpenCVE

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Word-wrap Project	Word-wrap

Configuration 1 [-]

cpe:2.3:a:word-wrap_project:word-wrap:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39	Broken Link
https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657	Exploit Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2023-06-22T05:00:01.472Z

Updated: 2024-06-26T19:11:06.508Z

Reserved: 2023-02-20T10:28:48.922Z

Link: CVE-2023-26115

JSON object: View

NVD Information

Status : Modified

Published: 2023-06-22T05:15:09.157

Modified: 2024-06-21T19:15:25.887

Link: CVE-2023-26115

JSON object: View

Redhat Information

No data.

CWE

CWE-1333

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-26115", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.922Z", "datePublished": "2023-06-22T05:00:01.472Z", "dateUpdated": "2024-06-26T19:11:06.508Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P"}}], "credits": [{"value": "Carter Snook", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "Regular Expression Denial of Service (ReDoS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-06-22T05:00:01.472Z"}, "descriptions": [{"value": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\r\r", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657"}, {"url": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39"}, {"url": "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "affected": [{"product": "word-wrap", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}, {"product": "org.webjars.npm:word-wrap", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-26T19:10:49.434426Z", "id": "CVE-2023-26115", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T19:11:06.508Z"}}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:word-wrap_project:word-wrap:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F9B3A751-DF84-4680-B6CB-4D30C7F9FF5D", "versionEndExcluding": "1.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\r\r"}], "id": "CVE-2023-26115", "lastModified": "2024-06-21T19:15:25.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-06-22T05:15:09.157", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4"}, {"source": "report@snyk.io", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "report@snyk.io", "type": "Secondary"}]}