Bug 2183109 (CVE-2023-26116) - CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()
Summary: CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.co...
Keywords:
Status: NEW
Alias: CVE-2023-26116
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2207890 2207891 2208184 2208185 2208186 2208187 2208188 2208190 2208192 2208193 2211131 2211132 2211133 2211134 2211135 2211136 2211137 2211138 2211139 2211140 2211141 2211142 2211143 2211144 2211145
Blocks: 2183111
TreeView+ depends on / blocked
 
Reported: 2023-03-30 12:20 UTC by Pedro Sampaio
Modified: 2024-03-29 03:35 UTC (History)
67 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in AngularJS, where it is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the angular.copy() utility function. By providing specially-crafted regex input, a remote attacker can cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2023-03-30 12:20:18 UTC
angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

References:

https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044

Comment 3 Avinash Hanwate 2023-05-18 08:46:46 UTC
Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 2208184]


Created icecat tracking bugs for this issue:

Affects: fedora-all [bug 2208185]


Created mozjs102 tracking bugs for this issue:

Affects: fedora-all [bug 2208186]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2208187]


Created qpid-dispatch tracking bugs for this issue:

Affects: openstack-rdo [bug 2208190]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 2208188]


Note You need to log in before you can comment on or make changes to this bug.