Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2017-18077

Good to know:

icon
icon

Date: January 27, 2018

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

Language: Java

Severity Score

Related Resources (10)

https://github.com/juliangruber/brace-expansion/issues/33
https://nodesecurity.io/advisories/338
https://www.npmjs.com/advisories/338
https://bugs.debian.org/862712
https://github.com/juliangruber/brace-expansion/pull/35
https://github.com/advisories/GHSA-832h-xg76-4gv6
https://nvd.nist.gov/vuln/detail/CVE-2017-18077
https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
https://github.com/juliangruber/brace-expansion
https://www.mend.io/vulnerability-database/CVE-2017-18077

Severity Score

Weakness Type (CWE)

Improper Input Validation

CWE-20

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

icon

Upgrade Version

Upgrade to version Nodejs.Redist.x64 - 8.0.0;Nodejs.Redist.x64 - 7.7.3.1;chrisbraybrooke/laravel-ecommerce - dev-form-field-key;chrisbraybrooke/laravel-ecommerce - 0.0.56;chrisbraybrooke/laravel-ecommerce - 0.0.11;Raml.Parser - 1.0.8;Raml.Parser - 1.0.2;azure-cli - no_fix;Fable.Template.Elmish.React - 0.1.6;ryanvade/flarum-ext-login-redirect - no_fix;contentasaurus/c-rex-admin - v1.0.7;contentasaurus/c-rex-admin - v1.0.1;ymcatwincities/openy-cibox-vm - no_fix;ymcatwincities/openy-cibox-vm - dev-snyk-fix-45a393004964497d68443389076d755a;ymcatwincities/openy-cibox-vm - dev-snyk-fix-5c35a6fcce9a99be5f2075759c8a3425;ymcatwincities/openy-cibox-vm - dev-snyk-fix-d3e304fdb18d8e743e047d064f2eeebe;ymcatwincities/openy-cibox-vm - dev-snyk-fix-84e446cbc8aa1506ed55902e1b08c080;spiral/toolkit - v0.8.20;spiral/toolkit - v0.8.18;spiral/toolkit - v0.9.0;z3/t3build-node - 1.0.11;MIDIator.WebClient - 1.0.105;humanmade/coding-standards - dev-dependabot/npm_and_yarn/json-schema-0.4.0;binh/mentions - no_fix;neon-sys - 0.1.11;Tools.Npm - no_fix;dreamfactory/df-api-docs-ui - 1.1.0;iget-master/material-admin - dev-L51;mpcmf/mpcmf-web-app - no_fix;mpcmf/mpcmf-web-app - 1.0.0.x-dev;KarmaNodeModules - no_fix;oburatongoi/productivity - 0.3.36;oburatongoi/productivity - 0.0.13;tslint - 5.6.0;Ncapsulate.Node.Shadow - no_fix;Yarn.MSBuild - 0.22.0;EntityFramework.LookupTables - 1.1.14.119;Npm - no_fix;Betclic.BuildTools.Node - no_fix;Npm3 - no_fix;node-sass-bundle - no_fix;datitisev/flarum-ext-moderator-notes - no_fix;NoGit - no_fix;lesshint - no_fix;brace-expansion - 1.1.7;Yarnpkg.Yarn - 0.26.1;z4a-dotnet-scaffold - 1.0.0.2;Ncapsulate.Node - no_fix;yuan1994/wechat_web_devtools - 0.15.152901-core;lufangyu1217/demo - dev-develop;jsdom - 11.11.0;Ncapsulate.Bower - no_fix;ristorantino/aditions - dev-master-ko-js-update;AngularJsTypeScriptBase - no_fix;kayrules/solatjakim-api-site - dev-version-1.0;bibcnrs/wp-ebsco-widget - 0.3.0;abedinia/heisenberg - 0.0.1;jquery - 3.4.0;Npm.js - no_fix;nodejs - 8.8.1;NodeBin - no_fix;Ncapsulate.Gulp - no_fix;urre/postpone - no_fix;ilhanet/erpnet-widget-resource - no_fix;hydrawiki/lessoid - 2.0.0;org.webjars.npm:bower:1.8.12;org.webjars:npm:4.0.2;org.webjars:npm:4.4.4;org.webjars.npm:brace-expansion:1.1.7;org.webjars.npm:bourbon-neat:2.1.0;org.webjars:browser-sync:no_fix

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us