CVE-2021-21267

Summary

CVE	CVE-2021-21267
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-03-19 21:15:00 UTC
Updated	2022-06-30 19:08:00 UTC
Description	Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS.

Risk And Classification

Problem Types: CWE-20 | CWE-400

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Netapp	E-series Performance Analyzer	-	All	All	All
Application	Netapp	Oncommand Insight	-	All	All	All
Application	Schema-inspector Project	Schema-inspector	All	All	All	All

References

Reference	Source	Link	Tags
schema-inspector	MISC	www.npmjs.com
CVE-2021-21267 Node.js Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
ReDoS in Schema-Inspector (email validation) · Advisory · schema-inspector/schema-inspector · GitHub	CONFIRM	github.com
GHSL-2020-358-redos-Schema-Inspector.md · GitHub	MISC	gist.github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

982375 Nodejs (npm) Security Update for schema-inspector (GHSA-f38p-c2gq-4pmr)