CVE-2023-26112 — configobj ReDoS exploitable by developer using values in a server-side configura

Description

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

How to fix CVE-2023-26112

To remediate CVE-2023-26112, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 5.0.9 or later

Is CVE-2023-26112 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 5.0.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-26112
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-26112
PATCHgithub.com/DiffSK/configobj
WEBgithub.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5
WEB