2183108 – (CVE-2023-26117) CVE-2023-26117 angularjs: Regular expression denial of service via the $resource service

Bug 2183108 (CVE-2023-26117) - CVE-2023-26117 angularjs: Regular expression denial of service via the $resource service

Summary: CVE-2023-26117 angularjs: Regular expression denial of service via the $resou...

Keywords:
Status:	NEW
Alias:	CVE-2023-26117
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2184357 2184359 2208175 2208180 2184355 2184356 2184358 2208177 2208178 2208179 2208182 2208189 2208191 2211150 2211151 2211152 2211153 2211154 2211156 2211157 2211158 2211159 2211160 2211161 2211162 2211163 2211164 2211165
Blocks:	2183111
TreeView+	depends on / blocked

Reported:	2023-03-30 12:18 UTC by Pedro Sampaio
Modified:	2024-03-02 05:32 UTC (History)
CC List:	69 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in AngularJS, where it is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) issue in the $resource service. By providing specially-crafted regex input, a remote attacker could cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2023-03-30 12:18:17 UTC

angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

References:

https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045

Comment 4 Avinash Hanwate 2023-05-18 08:41:38 UTC

Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 2208175]


Created icecat tracking bugs for this issue:

Affects: fedora-all [bug 2208177]


Created mozjs102 tracking bugs for this issue:

Affects: fedora-all [bug 2208178]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2208179]


Created qpid-dispatch tracking bugs for this issue:

Affects: openstack-rdo [bug 2208182]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 2208180]

Note You need to log in before you can comment on or make changes to this bug.

aileenc
amctagga
aoconnor
asoldano
bbaranow
bdettelb
bmaxwell
bniver
boliveir
brian.stansberry
caswilli
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
drichtar
eglynn
erack
fjuma
flucifre
fmuellner
fzatlouk
gblomqui
gmalinko
gmeno
grafana-maint
ivassile
iweiss
janstey
jhorak
jjoyce
jkurik
jwendell
kaycoth
klember
lgao
lhh
mabashia
mbenjamin
mburns
mgarciac
mhackett
mosmerov
msochure
msvehla
muagarwa
nathans
nwallace
omajid
pdelbell
pdrozd
pjindal
pmackay
pskopek
rcernich
rhos-maint
rowaters
rstancel
smaestri
smcdonal
sostapov
spower
sthorger
stransky
tom.jenkinson
tpopela
twalsh
vereddy