Your submission was sent successfully! Close

CVE-2021-23362

Published: 23 March 2021

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
node-hosted-git-info
Launchpad, Ubuntu, Debian
Upstream
Released (3.0.8-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(3.0.8-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.0.8-1)
Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3