CVE-2021-3801 - Vulnerability Details - OpenCVE

prism is vulnerable to Inefficient Regular Expression Complexity

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Prismjs	Prism
Redhat	Advanced Cluster Security

Configuration 1 [-]

cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*

Package	CPE	Advisory	Released Date
RHACS-3.67-RHEL-8
advanced-cluster-security/rhacs-rhel8-operator:3.67.0-3	cpe:/a:redhat:advanced_cluster_security:3.67::el8	RHSA-2021:4902	2021-12-01T00:00:00Z

References

Link	Providers
https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9
https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a
https://nvd.nist.gov/vuln/detail/CVE-2021-3801
https://www.cve.org/CVERecord?id=CVE-2021-3801

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2021-09-15T12:40:11

Updated: 2024-08-03T17:09:09.479Z

Reserved: 2021-09-14T00:00:00

Link: CVE-2021-3801

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-09-15T13:15:08.360

Modified: 2024-11-21T06:22:28.573

Link: CVE-2021-3801

Redhat

Severity : Moderate

Publid Date: 2021-09-11T00:00:00Z

Links: CVE-2021-3801 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "prismjs/prism", "vendor": "prismjs", "versions": [{"lessThanOrEqual": "1.24.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "prism is vulnerable to Inefficient Regular Expression Complexity"}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-15T12:40:11", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"}], "source": {"advisory": "8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", "discovery": "EXTERNAL"}, "title": "Inefficient Regular Expression Complexity in prismjs/prism", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2021-3801", "STATE": "PUBLIC", "TITLE": "Inefficient Regular Expression Complexity in prismjs/prism"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "prismjs/prism", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.24.1"}]}}]}, "vendor_name": "prismjs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "prism is vulnerable to Inefficient Regular Expression Complexity"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1333 Inefficient Regular Expression Complexity"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"}, {"name": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9", "refsource": "MISC", "url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"}]}, "source": {"advisory": "8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:09.479Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2021-3801", "datePublished": "2021-09-15T12:40:11", "dateReserved": "2021-09-14T00:00:00", "dateUpdated": "2024-08-03T17:09:09.479Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "266D072D-BFAD-4ACC-9ADA-91B03CA5EDA8", "versionEndExcluding": "1.25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "prism is vulnerable to Inefficient Regular Expression Complexity"}, {"lang": "es", "value": "prism es vulnerable a una Complejidad de Expresi\u00f3n Regular Ineficiente"}], "id": "CVE-2021-3801", "lastModified": "2024-11-21T06:22:28.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-15T13:15:08.360", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4902", "cpe": "cpe:/a:redhat:advanced_cluster_security:3.67::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:3.67.0-3", "product_name": "RHACS-3.67-RHEL-8", "release_date": "2021-12-01T00:00:00Z"}], "bugzilla": {"description": "nodejs-prismjs: ReDoS vulnerability", "id": "2005445", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005445"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["prism is vulnerable to Inefficient Regular Expression Complexity", "Insufficient Regular Expression Complexity in prismjs leads to a Regular Expression Denial of Service (ReDoS) attack. An unauthenticated attacker can exploit this flaw to cause an application to consume an excess amount of CPU by providing a crafted HTML comment as input. This can result in a denial of service attack."], "name": "CVE-2021-3801", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-ui-rhel8", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2021-09-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3801\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3801"], "statement": "OpenShift Container Platform (OCP) grafana-container does package a vulnerable verison of prismjs. However due to the instance being read only and behind OpenShift OAuth, it has been given a Low impact. Additionally it has been marked as wont-fix at this time and may be fixed in a future release.\nJust as OCP, OpenShift ServiceMesh (OSSM) components are behind OpenShift OAuth what reducing impact to Low.", "threat_severity": "Moderate"}