CVE-2021-21391 - Vulnerability Details

Vendors	Products
Ckeditor	Ckeditor5-engine Ckeditor5-font Ckeditor5-image Ckeditor5-list Ckeditor5-markdown-gfm Ckeditor5-media-embed Ckeditor5-paste-from-office Ckeditor5-widget

Link	Providers
https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj
https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine
https://www.npmjs.com/package/%40ckeditor/ckeditor5-font
https://www.npmjs.com/package/%40ckeditor/ckeditor5-image
https://www.npmjs.com/package/%40ckeditor/ckeditor5-list
https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm
https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed
https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office
https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "ckeditor5", "vendor": "ckeditor", "versions": [{"status": "affected", "version": "< 27.0.0"}]}], "descriptions": [{"lang": "en", "value": "CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-29T00:20:19", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-font"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-image"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-list"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget"}], "source": {"advisory": "GHSA-3rh3-wfr4-76mj", "discovery": "UNKNOWN"}, "title": "Regular expression Denial of Service in multiple packages", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21391", "STATE": "PUBLIC", "TITLE": "Regular expression Denial of Service in multiple packages"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ckeditor5", "version": {"version_data": [{"version_value": "< 27.0.0"}]}}]}, "vendor_name": "ckeditor"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm", "refsource": "MISC", "url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm"}, {"name": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj", "refsource": "CONFIRM", "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj"}, {"name": "https://www.npmjs.com/package/@ckeditor/ckeditor5-engine", "refsource": "MISC", "url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-engine"}, {"name": "https://www.npmjs.com/package/@ckeditor/ckeditor5-font", "refsource": "MISC", "url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-font"}, {"name": "https://www.npmjs.com/package/@ckeditor/ckeditor5-image", "refsource": "MISC", "url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-image"}, {"name": "https://www.npmjs.com/package/@ckeditor/ckeditor5-list", "refsource": "MISC", "url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-list"}, {"name": "https://www.npmjs.com/package/@ckeditor/ckeditor5-media-embed", "refsource": "MISC", "url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-media-embed"}, {"name": "https://www.npmjs.com/package/@ckeditor/ckeditor5-paste-from-office", "refsource": "MISC", "url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-paste-from-office"}, {"name": "https://www.npmjs.com/package/@ckeditor/ckeditor5-widget", "refsource": "MISC", "url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-widget"}]}, "source": {"advisory": "GHSA-3rh3-wfr4-76mj", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.938Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-font"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-image"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-list"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21391", "datePublished": "2021-04-29T00:20:19", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.938Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : ckeditor5 (string)

vendor : ckeditor (string)

versions : [ »

0 : { »

status : affected (string)

version : < 27.0.0 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0. (string)

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 6.5 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-400 (string)

description : CWE-400: Uncontrolled Resource Consumption (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-04-29T00:20:19 (string)

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine (string)

}

3 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-font (string)

}

4 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-image (string)

}

5 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-list (string)

}

6 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed (string)

}

7 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office (string)

}

8 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget (string)

}

]

source : { »

advisory : GHSA-3rh3-wfr4-76mj (string)

discovery : UNKNOWN (string)

}

title : Regular expression Denial of Service in multiple packages (string)

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security-advisories@github.com (string)

ID : CVE-2021-21391 (string)

STATE : PUBLIC (string)

TITLE : Regular expression Denial of Service in multiple packages (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : ckeditor5 (string)

version : { »

version_data : [ »

0 : { »

version_value : < 27.0.0 (string)

}

]

}

]

}

vendor_name : ckeditor (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0. (string)

}

]

}

impact : { »

cvss : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 6.5 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-400: Uncontrolled Resource Consumption (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm (string)

refsource : MISC (string)

url : https://www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm (string)

}

1 : { »

name : https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj (string)

refsource : CONFIRM (string)

url : https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj (string)

}

2 : { »

name : https://www.npmjs.com/package/@ckeditor/ckeditor5-engine (string)

refsource : MISC (string)

url : https://www.npmjs.com/package/@ckeditor/ckeditor5-engine (string)

}

3 : { »

name : https://www.npmjs.com/package/@ckeditor/ckeditor5-font (string)

refsource : MISC (string)

url : https://www.npmjs.com/package/@ckeditor/ckeditor5-font (string)

}

4 : { »

name : https://www.npmjs.com/package/@ckeditor/ckeditor5-image (string)

refsource : MISC (string)

url : https://www.npmjs.com/package/@ckeditor/ckeditor5-image (string)

}

5 : { »

name : https://www.npmjs.com/package/@ckeditor/ckeditor5-list (string)

refsource : MISC (string)

url : https://www.npmjs.com/package/@ckeditor/ckeditor5-list (string)

}

6 : { »

name : https://www.npmjs.com/package/@ckeditor/ckeditor5-media-embed (string)

refsource : MISC (string)

url : https://www.npmjs.com/package/@ckeditor/ckeditor5-media-embed (string)

}

7 : { »

name : https://www.npmjs.com/package/@ckeditor/ckeditor5-paste-from-office (string)

refsource : MISC (string)

url : https://www.npmjs.com/package/@ckeditor/ckeditor5-paste-from-office (string)

}

8 : { »

name : https://www.npmjs.com/package/@ckeditor/ckeditor5-widget (string)

refsource : MISC (string)

url : https://www.npmjs.com/package/@ckeditor/ckeditor5-widget (string)

}

]

}

source : { »

advisory : GHSA-3rh3-wfr4-76mj (string)

discovery : UNKNOWN (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T18:09:15.938Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine (string)

}

3 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-font (string)

}

4 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-image (string)

}

5 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-list (string)

}

6 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed (string)

}

7 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office (string)

}

8 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

assignerShortName : GitHub_M (string)

cveId : CVE-2021-21391 (string)

datePublished : 2021-04-29T00:20:19 (string)

dateReserved : 2020-12-22T00:00:00 (string)

dateUpdated : 2024-08-03T18:09:15.938Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ckeditor:ckeditor5-engine:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "67079ED7-67C7-43E6-B2ED-FC8F38073844", "versionEndExcluding": "27.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ckeditor:ckeditor5-font:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "49A57CEA-AF9A-406B-97E3-0174F98CF961", "versionEndExcluding": "27.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ckeditor:ckeditor5-image:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8AA7F807-41B2-492E-AC3F-ECC940A9D087", "versionEndExcluding": "27.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ckeditor:ckeditor5-list:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "ECFF8404-52EF-49E0-BB96-5C366362DD9E", "versionEndExcluding": "27.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2DDE77C4-ECA2-490F-8B67-D9CC0990FF33", "versionEndExcluding": "27.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ckeditor:ckeditor5-media-embed:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C9FD93F0-391D-4910-846C-B972D0737066", "versionEndExcluding": "27.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2B80F6F9-37B6-4FE3-B7C6-07931AD022BD", "versionEndExcluding": "27.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ckeditor:ckeditor5-widget:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2BD4B908-0A73-4410-813D-34A4108052D0", "versionEndExcluding": "27.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0."}, {"lang": "es", "value": "CKEditor 5 proporciona una soluci\u00f3n de edici\u00f3n WYSIWYG.&#xa0;Este CVE afecta a los siguientes paquetes npm: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office y ckeditor5-widget.&#xa0;Despu\u00e9s de una auditor\u00eda interna, se detect\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio de expresi\u00f3n regular (ReDoS) en varios paquetes de CKEditor 5.&#xa0;La vulnerabilidad permiti\u00f3 abusar de determinadas expresiones regulares, lo que podr\u00eda causar una perdida significativa del rendimiento, lo que causar\u00eda la congelaci\u00f3n de la pesta\u00f1a del navegador.&#xa0;Afecta a todos los usuarios que usan los paquetes CKEditor 5 enumerados anteriormente en la versi\u00f3n anterior a 26.0.0 e incluy\u00e9ndola.&#xa0;El problema ha sido reconocido y parcheado.&#xa0;La correcci\u00f3n estar\u00e1 disponible en la versi\u00f3n 27.0.0"}], "id": "CVE-2021-21391", "lastModified": "2024-11-21T05:48:15.750", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-29T01:15:07.883", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-font"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-image"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-list"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-font"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-image"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-list"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:ckeditor:ckeditor5-engine:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : 67079ED7-67C7-43E6-B2ED-FC8F38073844 (string)

versionEndExcluding : 27.0.0 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:ckeditor:ckeditor5-font:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : 49A57CEA-AF9A-406B-97E3-0174F98CF961 (string)

versionEndExcluding : 27.0.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:ckeditor:ckeditor5-image:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : 8AA7F807-41B2-492E-AC3F-ECC940A9D087 (string)

versionEndExcluding : 27.0.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:ckeditor:ckeditor5-list:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : ECFF8404-52EF-49E0-BB96-5C366362DD9E (string)

versionEndExcluding : 27.0.0 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:ckeditor:ckeditor5-markdown-gfm:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : 2DDE77C4-ECA2-490F-8B67-D9CC0990FF33 (string)

versionEndExcluding : 27.0.0 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:ckeditor:ckeditor5-media-embed:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : C9FD93F0-391D-4910-846C-B972D0737066 (string)

versionEndExcluding : 27.0.0 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:ckeditor:ckeditor5-paste-from-office:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : 2B80F6F9-37B6-4FE3-B7C6-07931AD022BD (string)

versionEndExcluding : 27.0.0 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:ckeditor:ckeditor5-widget:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : 2BD4B908-0A73-4410-813D-34A4108052D0 (string)

versionEndExcluding : 27.0.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0. (string)

}

1 : { »

lang : es (string)

value : CKEditor 5 proporciona una solución de edición WYSIWYG. Este CVE afecta a los siguientes paquetes npm: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office y ckeditor5-widget. Después de una auditoría interna, se detectó una vulnerabilidad de denegación de servicio de expresión regular (ReDoS) en varios paquetes de CKEditor 5. La vulnerabilidad permitió abusar de determinadas expresiones regulares, lo que podría causar una perdida significativa del rendimiento, lo que causaría la congelación de la pestaña del navegador. Afecta a todos los usuarios que usan los paquetes CKEditor 5 enumerados anteriormente en la versión anterior a 26.0.0 e incluyéndola. El problema ha sido reconocido y parcheado. La corrección estará disponible en la versión 27.0.0 (string)

}

]

id : CVE-2021-21391 (string)

lastModified : 2024-11-21T05:48:15.750 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 4.3 (number)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:M/Au:N/C:N/I:N/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 6.5 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 3.6 (number)

source : security-advisories@github.com (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 6.5 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-04-29T01:15:07.883 (string)

references : [ »

0 : { »

source : security-advisories@github.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj (string)

}

1 : { »

source : security-advisories@github.com (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine (string)

}

2 : { »

source : security-advisories@github.com (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-font (string)

}

3 : { »

source : security-advisories@github.com (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-image (string)

}

4 : { »

source : security-advisories@github.com (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-list (string)

}

5 : { »

source : security-advisories@github.com (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm (string)

}

6 : { »

source : security-advisories@github.com (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed (string)

}

7 : { »

source : security-advisories@github.com (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office (string)

}

8 : { »

source : security-advisories@github.com (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj (string)

}

10 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-engine (string)

}

11 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-font (string)

}

12 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-image (string)

}

13 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-list (string)

}

14 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-markdown-gfm (string)

}

15 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-media-embed (string)

}

16 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-paste-from-office (string)

}

17 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.npmjs.com/package/%40ckeditor/ckeditor5-widget (string)

}

]

sourceIdentifier : security-advisories@github.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-400 (string)

}

]

source : security-advisories@github.com (string)

type : Secondary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object