Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insufficient patch for Regular Expression Denial of Service (ReDoS) to jsx-slack v4.5.1
Vulnerability Description
jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
jsx-slack 安全漏洞
Vulnerability Description
jsx-slack是从JSX为Slack 块套件表面构建 JSON 对象。 jsx-slack 存在安全漏洞,该漏洞源于 CVE-2021-43838 补丁不足以防止正则表达式CNNVD-202112-2019 标签中,那么内部用于转义字符的正则表达式可能会消耗过多的计算资源。
CVSS Information
N/A
Vulnerability Type
N/A