CVE-2020-7760

Published Oct 30, 2020

Last updated 3 years ago

CVSS high 7.5

Overview

Description: This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*
Source: report@snyk.io
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:N/I:N/A:P

Weaknesses

nvd@nist.gov: CWE-400

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:codemirror:codemirror:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CB9C8EAD-6979-4D83-AE2F-FB3836AF5F57",
            "versionEndExcluding": "5.58.2"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "96FC5AC6-88AC-4C4D-8692-7489D6DE8E16",
            "versionEndExcluding": "20.2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:enterprise_manager_express_user_interface:19c:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "30CC9F81-B73C-4DE9-A781-2A1D74B8148E"
          },
          {
            "criteria": "cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "394A16F2-CCD4-44E5-BF6B-E0C782A9FA38"
          },
          {
            "criteria": "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "ED431C42-980D-4E28-8036-C01A5120663F",
            "versionEndExcluding": "11.2.9.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:spatial_studio:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F1F23F92-E623-4A7D-879C-E5142319E6D8",
            "versionEndExcluding": "19.1.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References