#VU80344 Inefficient regular expression complexity in Postcss - CVE-2021-23382

Cybersecurity Help s.r.o.

Published: 2023-09-04

Vulnerability identifier: #VU80344

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23382

CWE-ID: CWE-1333

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Postcss
/

Vendor: Postcss

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within the getAnnotationURL() and loadAnnotation() functions in lib/previous-map.js. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Postcss: 7.0.0 - 8.2.12

External links
http://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641
http://snyk.io/vuln/SNYK-JS-POSTCSS-1255640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak System

Multiple vulnerabilities in IBM Planning Analytics Workspace

Multiple vulnerabilities in IBM QRadar User Behavior Analytics

Splunk Enterprise update for third-party packages

Regular expression denial of service in postcss