CGA-45f3-3fmq-7h5w
Regular Expression Denial of Service (ReDoS) vulnerability in cryptography (PyPI)
What is CGA-45f3-3fmq-7h5w About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) affecting versions of the 'cross-spawn' package before 7.0.5, stemming from improper input sanitization. An attacker can craft a specific string that causes excessive CPU usage, leading to program crashes. Exploitation is relatively easy by manipulating user input.
Affected Software
Technical Details
The vulnerability resides in the way the 'cross-spawn' package handles regular expressions, specifically due to improper input sanitization. Certain regular expressions, when combined with crafted input strings, can exhibit 'catastrophic backtracking'. This occurs when the regex engine backtracks excessively to match the pattern, consuming significant CPU resources. An attacker sends a specially designed string as input to a function utilizing the vulnerable regex, causing it to enter a state where it spends an inordinate amount of time processing a seemingly simple input, effectively making the application unresponsive and leading to a denial of service.
What is the Impact of CGA-45f3-3fmq-7h5w?
Successful exploitation may allow attackers to degrade system performance, cause application unresponsiveness, or lead to a complete denial of service, disrupting normal operations.
What is the Exploitability of CGA-45f3-3fmq-7h5w?
Exploitation is of moderate complexity, requiring knowledge of the application's input processing and specific regex patterns used. No authentication or privileged access is generally needed, as the vulnerability typically targets publicly accessible input fields. Access would be remote, as it involves sending a malicious input string. The likelihood of exploitation increases when user-controlled input is directly used in regular expression evaluations without proper sanitization, making applications that process dynamic content or user queries particularly susceptible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-45f3-3fmq-7h5w?
Available Upgrade Options
- cryptography
- <42.0.0 → Upgrade to 42.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/security/cve/CVE-2023-50782
- https://nvd.nist.gov/vuln/detail/CVE-2023-50782
- https://github.com/pyca/cryptography
- https://github.com/pyca/cryptography/issues/9785
- https://bugzilla.redhat.com/show_bug.cgi?id=2254432
- https://access.redhat.com/security/cve/CVE-2023-50782
- https://www.couchbase.com/alerts/
- https://bugzilla.redhat.com/show_bug.cgi?id=2254432
- https://osv.dev/vulnerability/GHSA-3ww4-gg4f-jr7f
What are Similar Vulnerabilities to CGA-45f3-3fmq-7h5w?
Similar Vulnerabilities: CVE-2023-26136 , CVE-2023-23916 , CVE-2022-31129 , CVE-2022-25902 , CVE-2022-24795
