CVE-2018-20164
MEDIUM5.3EPSS 0.97%uap-core Regular Expression Denial of Service issue
Published: 3/6/2019Modified: 11/8/2023
Description
An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS) issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to a value containing a long digit string. (The UAP-Core project contains the vulnerability, propagating to all implementations.)
Affected packages (2)
- Debian/uap-corefrom 0, < 20190213-1
- npm/uap-corefrom 0, < 0.6.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-20164
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-20164
- PATCHhttps://github.com/ua-parser/uap-core
- WEBhttps://github.com/ua-parser/uap-core/commit/010ccdc7303546cd22b9da687c29f4a996990014
- WEBhttps://github.com/ua-parser/uap-core/commit/156f7e12b215bddbaf3df4514c399d683e6cdadc
- WEBhttps://github.com/ua-parser/uap-core/issues/332
- WEBhttps://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser