GSD-2020-26256
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-26256",
"description": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable.",
"id": "GSD-2020-26256"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-26256"
],
"details": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable.",
"id": "GSD-2020-26256",
"modified": "2023-12-13T01:22:09.111217Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26256",
"STATE": "PUBLIC",
"TITLE": "Denial of service in fast-csv"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fast-csv",
"version": {
"version_data": [
{
"version_value": "\u003c 4.3.6"
}
]
}
}
]
},
"vendor_name": "C2FO"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp",
"refsource": "CONFIRM",
"url": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp"
},
{
"name": "https://lgtm.com/query/8609731774537641779/",
"refsource": "MISC",
"url": "https://lgtm.com/query/8609731774537641779/"
},
{
"name": "https://github.com/C2FO/fast-csv/issues/540",
"refsource": "MISC",
"url": "https://github.com/C2FO/fast-csv/issues/540"
},
{
"name": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e",
"refsource": "MISC",
"url": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e"
},
{
"name": "https://www.npmjs.com/package/@fast-csv/parse",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/@fast-csv/parse"
},
{
"name": "https://www.npmjs.com/package/fast-csv",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/fast-csv"
}
]
},
"source": {
"advisory": "GHSA-8cv5-p934-3hwp",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.3.6",
"affected_versions": "All versions before 4.3.6",
"cvss_v2": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-400",
"CWE-937"
],
"date": "2021-10-08",
"description": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node.If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable.",
"fixed_versions": [
"4.3.6"
],
"identifier": "CVE-2020-26256",
"identifiers": [
"GHSA-8cv5-p934-3hwp",
"CVE-2020-26256"
],
"not_impacted": "All versions starting from 4.3.6",
"package_slug": "npm/@fast-csv/parse",
"pubdate": "2020-12-08",
"solution": "Upgrade to version 4.3.6 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp",
"https://github.com/C2FO/fast-csv/issues/540",
"https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e",
"https://lgtm.com/query/8609731774537641779/",
"https://www.npmjs.com/package/@fast-csv/parse",
"https://www.npmjs.com/package/fast-csv",
"https://www.npmjs.com/advisories/1587",
"https://www.npmjs.com/advisories/1588",
"https://nvd.nist.gov/vuln/detail/CVE-2020-26256",
"https://github.com/advisories/GHSA-8cv5-p934-3hwp"
],
"uuid": "bae990a0-80c2-4893-b4d6-d8ff82f8b162"
},
{
"affected_range": "\u003c4.3.6",
"affected_versions": "All versions before 4.3.6",
"cvss_v2": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-400",
"CWE-937"
],
"date": "2021-10-07",
"description": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable.",
"fixed_versions": [
"4.3.6"
],
"identifier": "CVE-2020-26256",
"identifiers": [
"CVE-2020-26256",
"GHSA-8cv5-p934-3hwp"
],
"not_impacted": "All versions starting from 4.3.6",
"package_slug": "npm/fast-csv",
"pubdate": "2020-12-08",
"solution": "Upgrade to version 4.3.6 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-26256"
],
"uuid": "1a73e7ae-54d3-4ba0-a604-3fca541eb8ab"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:c2fo:fast-csv:*:*:*:*:*:node.js:*:*",
"cpe_name": [],
"versionEndExcluding": "4.3.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26256"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e"
},
{
"name": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp"
},
{
"name": "https://www.npmjs.com/package/fast-csv",
"refsource": "MISC",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://www.npmjs.com/package/fast-csv"
},
{
"name": "https://www.npmjs.com/package/@fast-csv/parse",
"refsource": "MISC",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://www.npmjs.com/package/@fast-csv/parse"
},
{
"name": "https://lgtm.com/query/8609731774537641779/",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lgtm.com/query/8609731774537641779/"
},
{
"name": "https://github.com/C2FO/fast-csv/issues/540",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/C2FO/fast-csv/issues/540"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-10-07T17:08Z",
"publishedDate": "2020-12-08T22:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…