search

RobertMickleCx / NodeGoat

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project
Apache License 2.0
1 stars 0 forks source link

CVE-2021-3807 @ Npm-ansi-regex-2.1.1 #147

Open RobertMickleCx opened 1 year ago

RobertMickleCx commented 1 year ago

Vulnerable Package issue exists @ Npm-ansi-regex-2.1.1 in branch master

ansi-regex prior to 5.0.1 and 6.0.x prior to 6.0.1 is vulnerable to Inefficient Regular Expression Complexity

Namespace: RobertMickleCx Repository: NodeGoat Repository Url: https://github.com/RobertMickleCx/NodeGoat CxAST-Project: RobertMickleCx/NodeGoat CxAST platform scan: 4cad0b9d-cbe1-4acd-bb82-244764df9dbd Branch: master Application: NodeGoat Severity: HIGH State: NOT_IGNORED Status: RECURRENT CWE: CWE-1333

Additional Info Attack vector: NETWORK Attack complexity: LOW Confidentiality impact: NONE Availability impact: HIGH

References Advisory POC/Exploit Pull request Commit Issue

joebowbeer commented 1 year ago

@RobertMickleCx Has some agent misinterpreted the affected ranges of CVE-2021-3807?

See affected ranges in https://github.com/advisories/GHSA-93q8-gq69-wqmw

Confirmed: https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774

The vulnerability does not exist in versions v2.1.1 and lower.