CVE-2021-27290
Summary
| CVE | CVE-2021-27290 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-03-12 22:15:00 UTC |
| Updated | 2022-05-13 20:51:00 UTC |
| Description | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Oracle | Graalvm | 20.3.3 | All | All | All |
| Application | Oracle | Graalvm | 21.2.0 | All | All | All |
| Application | Siemens | Sinec Infrastructure Network Services | All | All | All | All |
| Application | Ssri Project | Ssri | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf | MISC | doyensec.com | Exploit, Patch, Third Party Advisory |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | CONFIRM | cert-portal.siemens.com | |
| SaveResults/ssri-redos.pdf at main · yetingli/SaveResults · GitHub | MISC | github.com | Exploit, Third Party Advisory |
| parked | MISC | npmjs.com | Product |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159345 Oracle Enterprise Linux Security Update for nodejs:12 (ELSA-2021-3073)
- 159346 Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2021-3074)
- 180031 Debian Security Update for node-ssri (CVE-2021-27290)
- 239531 Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:2932)
- 239532 Red Hat Update for rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:2931)
- 239547 Red Hat Update for nodejs:14 (RHSA-2021:3074)
- 239548 Red Hat Update for nodejs:12 (RHSA-2021:3073)
- 239654 Red Hat Update for nodejs:12 (RHSA-2021:3639)
- 239655 Red Hat Update for nodejs:12 (RHSA-2021:3638)
- 375692 Node.js Denial Of Service and PATH,DLL hijacking Vulnerabilities July 2021
- 376087 Azul Java Multiple Vulnerabilities Security Update October 2021
- 377329 Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2021:0056)
- 501450 Alpine Linux Security Update for nodejs
- 690034 Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (c174118e-1b11-11ec-9d9d-0022489ad614)
- 750833 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:2327-1)
- 750837 SUSE Enterprise Linux Security Update for nodejs10 (SUSE-SU-2021:2353-1)
- 750840 OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:2353-1)
- 750841 OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:2354-1)
- 750857 OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:1060-1)
- 750858 OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:1061-1)
- 750859 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:1059-1)
- 750922 SUSE Enterprise Linux Security Update for nodejs8 (SUSE-SU-2021:2620-1)
- 750928 OpenSUSE Security Update for nodejs8 (openSUSE-SU-2021:2618-1)
- 750939 OpenSUSE Security Update for nodejs8 (openSUSE-SU-2021:1113-1)
- 940245 AlmaLinux Security Update for nodejs:14 (ALSA-2021:3074)
- 940398 AlmaLinux Security Update for nodejs:12 (ALSA-2021:3073)
- 960063 Rocky Linux Security Update for nodejs:14 (RLSA-2021:3074)
- 960082 Rocky Linux Security Update for nodejs:12 (RLSA-2021:3073)
- 980342 Nodejs (npm) Security Update for ssri (GHSA-vx3p-948g-6vhq)