CVE-2021-26271

Summary

CVE	CVE-2021-26271
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-01-26 21:15:00 UTC
Updated	2021-12-01 16:16:00 UTC
Description	It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

Risk And Classification

Problem Types: CWE-829

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Ckeditor	Ckeditor	All	All	All	All
Application	Ckeditor	Ckeditor	All	All	All	All
Application	Oracle	Agile Plm	9.3.5	All	All	All
Application	Oracle	Agile Plm	9.3.6	All	All	All
Application	Oracle	Application Express	All	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	8.1.0	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	8.1.1	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Siebel Ui Framework	All	All	All	All
Application	Oracle	Webcenter Sites	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Sites	12.2.1.4.0	All	All	All

References

Reference	Source	Link	Tags
CKEditor 4.16 with improved image pasting, High Contrast support and a new color API	CONFIRM	ckeditor.com	Vendor Advisory
ckeditor4/CHANGES.md at major · ckeditor/ckeditor4 · GitHub	MISC	github.com	Release Notes, Third Party Advisory
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

179408 Debian Security Update for ckeditor (CVE-2021-26271)