CVE-2020-5243

uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:uap-core_project:uap-core:*:*:*:*:*:node.js:*:*

History

08 Feb 2024, 20:12

Type Values Removed Values Added
CPE cpe:2.3:a:uap-core_project:uap-core:*:*:*:*:*:*:*:* cpe:2.3:a:uap-core_project:uap-core:*:*:*:*:*:node.js:*:*
References () https://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1 - Patch, Third Party Advisory () https://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1 - Patch
CWE CWE-400 CWE-1333

Information

Published : 2020-02-21 00:15

Updated : 2024-02-08 20:12


NVD link : CVE-2020-5243

Mitre link : CVE-2020-5243

CVE.ORG link : CVE-2020-5243


JSON object : View

Products Affected

uap-core_project

  • uap-core
CWE
CWE-1333

Inefficient Regular Expression Complexity

CWE-20

Improper Input Validation