发布于3月6日3月6日 Members Red Hat JBossEAP: Inefficient Regular Expression Complexity (CVE-2024-39249) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/01/2024 Created 09/20/2024 Added 09/19/2024 Modified 12/20/2024 Description Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.. A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input. Solution(s) red-hat-jboss-eap-upgrade-latest References https://attackerkb.com/topics/cve-2024-39249 CVE - 2024-39249 https://access.redhat.com/security/cve/CVE-2024-39249 https://bugzilla.redhat.com/show_bug.cgi?id=2295035 https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41 https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6 https://github.com/zunak/CVE-2024-39249
