Vulnerability Details : CVE-2021-42836
GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.
Vulnerability category: Denial of service
Products affected by CVE-2021-42836
- cpe:2.3:a:gjson_project:gjson:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-42836
0.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-42836
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-42836
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-42836
-
https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944
Update match dependency · tidwall/gjson@590010f · GitHubPatch;Third Party Advisory
-
https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96
Limit the complexity of "like" queries that match on a pattern. · tidwall/gjson@77a57fd · GitHubPatch;Third Party Advisory
-
https://github.com/tidwall/gjson/compare/v1.9.2...v1.9.3
Comparing v1.9.2...v1.9.3 · tidwall/gjson · GitHubRelease Notes;Third Party Advisory
-
https://github.com/tidwall/gjson/issues/236
gjson.Get can cause DoS attacks. GJSON <= 1.9.1 allows attackers to cause a redos via crafted JSON input. · Issue #236 · tidwall/gjson · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://github.com/tidwall/gjson/issues/237
gjson.Get can cause DoS attacks. GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON input. · Issue #237 · tidwall/gjson · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
Jump to