Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
5.17.6
-
None
-
None
Description
Description
CVE-2020-27511 fix needed for activemq-osgi-5.17.6 and strudl.0.3.13
Description :
Severity : CVE CVSS 3: 7.5Sonatype CVSS 3: 7.5
Weakness : Sonatype CWE: 400
Source : National Vulnerability Database
Categories : Data
Description from CVE : An issue was discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 where an attacker can cause a Regular Expression Denial of Servicethrough stripping crafted HTML tags.
Explanation : The prototype package is vulnerable to Regular Expression Denial of Service [ReDoS] attacks. The stripTags[] function in the String.js file used to unescape HTML fails to efficiently parse and remove tags within a given string. An attacker can exploit this vulnerability by submitting a crafted code block which, when parsed by the affected function, will exhaust system resources and trigger a DoS condition.
Detection : The application is vulnerable by using this component.
Recommendation : There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control.
Root Cause : activemq-osgi-5.17.6.jarorg/apache/activemq/web/prototype.js : [ , ]
Advisories : Attack: https://github.com/AlyxRen/prototype.node.js
CVSS Details : CVE CVSS 3: 7.5CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE : CVE-2020-27511
URL : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
Remediation : This component does not have any non-vulnerable Version. Please contact the vendor to get this vulnerability fixed.
===
Description :
Severity : CVE CVSS 3: 7.5Sonatype CVSS 3: 7.5
Weakness : Sonatype CWE: 400
Source : National Vulnerability Database
Categories : Data
Description from CVE : An issue was discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 where an attacker can cause a Regular Expression Denial of Servicethrough stripping crafted HTML tags.
Explanation : The prototype package is vulnerable to Regular Expression Denial of Service [ReDoS] attacks. The stripTags[] function in the String.js file used to unescape HTML fails to efficiently parse and remove tags within a given string. An attacker can exploit this vulnerability by submitting a crafted code block which, when parsed by the affected function, will exhaust system resources and trigger a DoS condition.
Detection : The application is vulnerable by using this component.
Recommendation : There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control.
Root Cause : strudl.0.3.13 : [ , ]
Advisories : Attack: https://github.com/AlyxRen/prototype.node.js
CVSS Details : CVE CVSS 3: 7.5CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE : CVE-2020-27511
URL : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
Remediation : This component does not have any non-vulnerable Version. Please contact the vendor to get this vulnerability fixed.