CVE-2021-21267 — HIGH (7.5)

Q: How severe is CVE-2021-21267?

CVE-2021-21267 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21267?

Check the references section above for vendor advisories and patch information. Affected products include: Schema-Inspector Project Schema-Inspector, Netapp E-Series Performance Analyzer, Netapp Oncommand Insight.

Vulnerability Description

Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Schema-Inspector Project	Schema-Inspector	< 2.0.0
Netapp	E-Series Performance Analyzer	-
Netapp	Oncommand Insight	-

Related Weaknesses (CWE)

CWE-20 CWE-400

References

https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8fExploitThird Party Advisory
https://github.com/schema-inspector/schema-inspector/security/advisories/GHSA-f3ExploitThird Party Advisory
https://security.netapp.com/advisory/ntap-20210528-0006/Third Party Advisory
https://www.npmjs.com/package/schema-inspectorExploitThird Party Advisory
https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8fExploitThird Party Advisory
https://github.com/schema-inspector/schema-inspector/security/advisories/GHSA-f3ExploitThird Party Advisory
https://security.netapp.com/advisory/ntap-20210528-0006/Third Party Advisory
https://www.npmjs.com/package/schema-inspectorExploitThird Party Advisory

FAQ

What is CVE-2021-21267?

CVE-2021-21267 is a vulnerability with a CVSS score of 7.5 (HIGH). Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attac...

How severe is CVE-2021-21267?

CVE-2021-21267 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21267?

Check the references section above for vendor advisories and patch information. Affected products include: Schema-Inspector Project Schema-Inspector, Netapp E-Series Performance Analyzer, Netapp Oncommand Insight.