Vulnerability Description
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ssri Project | Ssri | >= 5.2.2, < 6.0.2 |
| Oracle | Graalvm | 20.3.3 |
| Siemens | Sinec Infrastructure Network Services | < 1.0.1.1 |
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdfExploitPatchThird Party Advisory
- https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdfExploitThird Party Advisory
- https://npmjs.comProduct
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdfExploitPatchThird Party Advisory
- https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdfExploitThird Party Advisory
- https://npmjs.comProduct
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
FAQ
What is CVE-2021-27290?
CVE-2021-27290 is a vulnerability with a CVSS score of 7.5 (HIGH). ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial o...
How severe is CVE-2021-27290?
CVE-2021-27290 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-27290?
Check the references section above for vendor advisories and patch information. Affected products include: Ssri Project Ssri, Oracle Graalvm, Siemens Sinec Infrastructure Network Services.