#VU88853 Incorrect Regular Expression in pydantic - CVE-2024-3772

Cybersecurity Help s.r.o.

Published: 2024-04-19

Vulnerability identifier: #VU88853

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-3772

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pydantic
Other software / Other software solutions

Vendor: Pydantic

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted email string to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Vulnerable software versions

pydantic: before 1.10.13

External links
https://github.com/pydantic/pydantic/pull/7360

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data update for Pydanic

SUSE update for python-pydantic

Ubuntu update for pydantic

Multiple vulnerabilities in IBM Security QRadar EDR

Splunk Python for Scientific Computing update for third-party packages

Multiple vulnerabilities in IBM QRadar Suite Software

Incorrect regular expression in IBM Process Mining

Multiple vulnerabilities in Ansible Automation Platform 2.4 packages

Fedora EPEL 9 update for python-pydantic

Fedora 38 update for python-pydantic