{
  "threat_severity" : "Important",
  "public_date" : "2024-10-26T20:26:35Z",
  "bugzilla" : {
    "description" : "Useragent: GHSL-2020-312: Regular Expression Denial of Service (ReDoS) in useragent",
    "id" : "2321964",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2321964"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1333",
  "details" : [ "Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.", "A flaw was found in Useragent package, a user agent parser for Node.js. Affected versions of this package contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS)." ],
  "statement" : "The ReDoS vulnerability in the useragent library is considered an important severity rather than critical because it primarily affects application availability, not confidentiality or integrity. This vulnerability occurs when inefficient regular expressions lead to excessive backtracking under specific input patterns, potentially causing the application to slow down or become unresponsive. However, ReDoS attacks do not allow an attacker to execute arbitrary code, escalate privileges, or access sensitive data directly.\nLogging Subsystem for Red Hat OpenShiftdoes not impacted & unaffected by this specific CVE because it is used only in the development environment.\nRed Hat Quay 3 does not impacted & unaffected by this specific CVE because its not using node to parse user requests.",
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/kibana6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-26311\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26311\nhttps://github.com/3rd-Eden/useragent/issues/167\nhttps://securitylab.github.com/advisories/GHSL-2020-312-redos-useragent/" ],
  "name" : "CVE-2020-26311",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}