2221261 – (CVE-2023-34104) CVE-2023-34104 fast-xml-parser: Regex Injection via Doctype Entities

Bug 2221261 (CVE-2023-34104) - CVE-2023-34104 fast-xml-parser: Regex Injection via Doctype Entities

Summary: CVE-2023-34104 fast-xml-parser: Regex Injection via Doctype Entities

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-34104
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2221262 2221263
Blocks:	2221264
TreeView+	depends on / blocked

Reported:	2023-07-07 16:57 UTC by Pedro Sampaio
Modified:	2024-03-15 02:48 UTC (History)
CC List:	14 users (show)
Fixed In Version:	fast-xml-parser 4.2.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the fast-XML-parser. The affected versions of fast-XML-parser are vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the Doctype Entities. By sending a specially crafted regex input, a remote attacker can cause a denial of service condition.
Clone Of:
Environment:
Last Closed:	2023-08-14 05:50:06 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:4627	0	None	None	None	2023-08-14 01:03:05 UTC

Description Pedro Sampaio 2023-07-07 16:57:33 UTC

fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the `processEntities: false` option.

References:

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw
https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c

Comment 3 errata-xmlrpc 2023-08-14 01:03:03 UTC

This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627

Comment 4 Product Security DevOps Team 2023-08-14 05:50:05 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-34104

Note You need to log in before you can comment on or make changes to this bug.