CVE-2020-8912
Regular Expression Denial of Service (ReDoS) vulnerability in aws-sdk-go (Go)
What is CVE-2020-8912 About?
Versions of `papaparse` prior to 5.2.0 are vulnerable to a Regular Expression Denial of Service (ReDoS) due to a malformed regular expression in the `parse` function. This flaw allows attackers to cause a denial of service by providing specific non-numerical inputs that stall system processing. Its exploitation complexity is low, primarily requiring the ability to supply malicious input.
Affected Software
Technical Details
The vulnerability is a Regular Expression Denial of Service (ReDoS) affecting papaparse versions older than 5.2.0. The parse function contains a malformed regular expression. When this regular expression processes specific, non-numerical inputs, it enters a state of catastrophic backtracking. This causes the regex engine to take an exponentially longer time to evaluate the input, consuming excessive CPU resources. By sending these specially crafted inputs, an attacker can make the application unresponsive, leading to a denial of service.
What is the Impact of CVE-2020-8912?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected system or application unresponsive or unavailable to legitimate users.
What is the Exploitability of CVE-2020-8912?
Exploitation of this ReDoS vulnerability is generally straightforward and of low complexity. It typically requires an attacker to be able to submit untrusted, non-numerical data to the parse function of papaparse. There are usually no specific authentication or privilege requirements to trigger the vulnerability, as it targets how the application processes input. This can be a remote exploitation scenario if the application exposes an endpoint that processes user-supplied data using the vulnerable parse function. The special condition is the ability to craft input that triggers catastrophic backtracking in the specific regular expression. Risk factors are increased in applications that process arbitrary user-supplied data via papaparse without prior validation or sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-8912?
Available Upgrade Options
- github.com/aws/aws-sdk-go
- <1.34.0 → Upgrade to 1.34.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-8912
- https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc
- https://pkg.go.dev/vuln/GO-2022-0646
- https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09
- https://bugzilla.redhat.com/show_bug.cgi?id=1869801
- https://github.com/aws/aws-sdk-go/pull/3403
- https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4
- https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw
- https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e
- https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09
What are Similar Vulnerabilities to CVE-2020-8912?
Similar Vulnerabilities: CVE-2023-35805 , CVE-2023-28155 , CVE-2023-24754 , CVE-2022-24707 , CVE-2020-8200
