CVE-2021-43307 — Regular expression denial of service in semver-regex

描述

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

如何修補 CVE-2021-43307

要修補 CVE-2021-43307,請將受影響套件升級到下列已修補版本。

npm/semver-regex—升級至 3.1.4 或更新版本

CVE-2021-43307 正在被利用嗎?

低 — EPSS 為 0.6%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 3.1.4

參考連結(4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-43307
PATCHgithub.com/sindresorhus/semver-regex
WEBgithub.com/sindresorhus/semver-regex/commit/d8ba39a528c1027c43ab23f12eec28ca4d40dd0c
WEBresearch.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349