📚 Nextcloud: @nextcloud/logger NPM package brings vulnerable ansi-regex version
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: vulners.com
Summary: Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the sub-patterns [\#;?] and (?:;[-a-zA-Z\d\/#&.:=?%@~_])*. Details: Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process. The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down. Steps To Reproduce: First I download the code (https://github.com/nextcloud/password_policy) I usual cat files and See the technologies that the site use and its versions I Found that You use ansi-regex then I cat every file and find in package-lock.json has the version I have the versions of the ansi-regex with a lot of versions there some of some vulnerable and other update to the latest version and the vulnerable paths is ```json }, "strip-ansi": { "version": "3.0.1", "resolved":... ...