CVE-2018-20164
Description
An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS) issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to a value containing a long digit string. (The UAP-Core project contains the vulnerability, propagating to all implementations.)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 20190213-1 |
| sid | Fixed | 20190213-1 |
| forky | Fixed | 20190213-1 |
| bullseye | Fixed | 20190213-1 |
| bookworm | Fixed | 20190213-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | uap-core | <0.6.0 | 0.6.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2018-20164
- https://github.com/ua-parser/uap-core/issues/332
- https://github.com/ua-parser/uap-core/commit/010ccdc7303546cd22b9da687c29f4a996990014
- https://github.com/ua-parser/uap-core/commit/156f7e12b215bddbaf3df4514c399d683e6cdadc
- https://github.com/ua-parser/uap-core
- https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser
- https://security-tracker.debian.org/tracker/CVE-2018-20164
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.