CVE-2020-13949
Regular Expression Denial of Service (ReDoS) vulnerability in libthrift (Maven)
What is CVE-2020-13949 About?
This vulnerability in `braces` versions prior to 2.3.1 allows for Regular Expression Denial of Service (ReDoS). Untrusted input can trigger catastrophic backtracking in regular expressions, causing applications to become unresponsive. Exploitation is relatively easy, given the right untrusted input.
Affected Software
Technical Details
The vulnerability lies within the braces library, specifically in versions before 2.3.1. It is a Regular Expression Denial of Service (ReDoS) vulnerability. When the library processes untrusted input, certain patterns within that input, when matched against poorly constructed regular expressions internally, can cause 'catastrophic backtracking'. This means the regular expression engine gets stuck in an exponentially growing number of evaluation steps, consuming excessive CPU resources and rendering the application unresponsive. The attack vector involves providing a maliciously crafted string as input to functions that utilize the vulnerable regular expressions, leading to a denial of service.
What is the Impact of CVE-2020-13949?
Successful exploitation may allow attackers to cause applications to become unresponsive, leading to denial of service, and tying up system resources, thereby impacting the availability of the service.
What is the Exploitability of CVE-2020-13949?
Exploitation complexity is low to medium, requiring the attacker to supply a specially crafted input string to an application that uses the vulnerable braces library. There are generally no authentication or specific privilege requirements, as the attack typically involves passing untrusted data through a regular application input mechanism. This is generally a remote exploitation scenario if the input can be controlled remotely. The primary risk factor is any application endpoint that processes user-supplied text or data using the braces library without adequate sanitization or input validation, making it susceptible to ReDoS attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-13949?
Available Upgrade Options
- org.apache.thrift:libthrift
- >0.9.3, <0.14.0 → Upgrade to 0.14.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r117d5d2b08d505b69558a2a31b0a1cf8990cd0385060b147e70e76a9@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/r421a9a76811c1aed7637b5fe5376ab14c09ccdd7b70d5211d6e76d1e@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/r4fa53eacca2ac38904f38dc226caebb3f2f668b2da887f2fd416f4a7%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/r191a9279e2863b68e5496ee4ecd8be0d4fe43b324b934f0d1f106e1d%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rc7a241e0af086b226ff9ccabc4a243d206f0f887037994bfd8fcaaeb@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1dea91f0562e0a960b45b1c5635b2a47b258b77171334276bcf260a7@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/r886b6d9a89b6fa0aafbf0a8f8f14351548d6c6f027886a3646dbd075@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r15eed5d21e16a5cce810c1e096ffcffc36cd08c2f78ce2f9b24b4a6a%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r62aa6d07b23095d980f348d330ed766560f9a9e940fec051f534ce37@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-13949?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2021-23429 , CVE-2020-28169 , CVE-2022-24706 , CVE-2023-46219
