CVE-2021-27290

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

References

https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf

https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf

https://npmjs.com

Details

Source: MITRE

Published: 2021-03-12

Updated: 2021-04-09

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:ssri_project:ssri:*:*:*:*:*:node.js:*:*

cpe:2.3:a:ssri_project:ssri:*:*:*:*:*:node.js:*:*

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
153553RHEL 8 : nodejs:12 (RHSA-2021:3639)NessusRed Hat Local Security Checks
critical
153552RHEL 8 : nodejs:12 (RHSA-2021:3638)NessusRed Hat Local Security Checks
critical
152498Oracle Linux 8 : nodejs:12 (ELSA-2021-3073)NessusOracle Linux Local Security Checks
medium
152495Oracle Linux 8 : nodejs:14 (ELSA-2021-3074)NessusOracle Linux Local Security Checks
medium
152474openSUSE 15 Security Update : nodejs8 (openSUSE-SU-2021:1113-1)NessusSuSE Local Security Checks
high
152468CentOS 8 : nodejs:12 (CESA-2021:3073)NessusCentOS Local Security Checks
medium
152455CentOS 8 : nodejs:14 (CESA-2021:3074)NessusCentOS Local Security Checks
medium
152451RHEL 8 : nodejs:14 (RHSA-2021:3074)NessusRed Hat Local Security Checks
medium
152443RHEL 8 : nodejs:12 (RHSA-2021:3073)NessusRed Hat Local Security Checks
medium
152272SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2021:2326-1)NessusSuSE Local Security Checks
high
152258openSUSE 15 Security Update : nodejs8 (openSUSE-SU-2021:2618-1)NessusSuSE Local Security Checks
high
152253SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2021:2618-1)NessusSuSE Local Security Checks
high
152251SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2021:2620-1)NessusSuSE Local Security Checks
high
152133RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:2932)NessusRed Hat Local Security Checks
medium
152132RHEL 7 : rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:2931)NessusRed Hat Local Security Checks
medium
151975Node.js 12.x < 12.22.2 / 14.x < 14.17.2 / 16.x < 16.4.1 Multiple VulnerabilitiesNessusMisc.
medium
151823openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:1059-1)NessusSuSE Local Security Checks
high
151818openSUSE 15 Security Update : nodejs10 (openSUSE-SU-2021:1061-1)NessusSuSE Local Security Checks
high
151814openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:1060-1)NessusSuSE Local Security Checks
high
151765SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2021:2354-1)NessusSuSE Local Security Checks
high
151758SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2021:2353-1)NessusSuSE Local Security Checks
high
151745openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:2354-1)NessusSuSE Local Security Checks
high
151727openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:2327-1)NessusSuSE Local Security Checks
high
151723openSUSE 15 Security Update : nodejs10 (openSUSE-SU-2021:2353-1)NessusSuSE Local Security Checks
high
151656SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2021:2323-1)NessusSuSE Local Security Checks
high
151655SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2021:2327-1)NessusSuSE Local Security Checks
high
151650SUSE SLES12 Security Update : nodejs14 (SUSE-SU-2021:2319-1)NessusSuSE Local Security Checks
high