#VU80337 Incorrect Regular Expression in prism - CVE-2021-3801

Cybersecurity Help s.r.o.

Published: 2023-09-04

Vulnerability identifier: #VU80337

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-3801

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
prism
Other software / Other software solutions

Vendor: PrismJS

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can trick the victim into opening specially crafted data and perform regular expression denial of service (ReDos) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

prism: before 1.25.0

External links
https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a
https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Storage Defender Data Protect

Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes 3.67