Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVE-2022-26657: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.

CVE-2022-26655: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.

CVE-2022-27930: Pexip security bulletins | Pexip Infinity Docs

CVE-2022-27933: Pexip security bulletins | Pexip Infinity Docs

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-25858

**Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS**

Moderate severity GitHub Reviewed Published Jul 16, 2022 • Updated Jul 20, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

**Affected versions**

< 4.8.1

\>= 5.0.0, < 5.14.2

**Patched versions**

4.8.1

5.14.2

**Description**

GHSA-4wf5-vphf-c2xc: Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS

The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service (DoS) via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages.

**Shoutrrr util package DoS via sending 2000, 4000, or 6000 character messages**

High severity GitHub Reviewed Published Jul 16, 2022 • Updated Jul 20, 2022

GHSA-477v-w82m-634j: Shoutrrr util package DoS via sending 2000, 4000, or 6000 character messages

Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final.

**Undertow vulnerable to Denial of Service (DoS) attacks**

Moderate severity GitHub Reviewed Published Jul 15, 2022 • Updated Jul 15, 2022

GHSA-339q-62wm-c39w: Undertow vulnerable to Denial of Service (DoS) attacks

Buffer leak on incoming WebSocket PONG message(s) in Undertow before 2.0.40 and 2.2.10 can lead to memory exhaustion and allow a denial of service.

**Undertow vulnerable to memory exhaustion due to buffer leak**

High severity GitHub Reviewed Published Jul 15, 2022 • Updated Jul 15, 2022

GHSA-fj7c-vg2v-ccrm: Undertow vulnerable to memory exhaustion due to buffer leak

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.



@@ -30,10 +30,10 @@ regexp\_2: { unsafe: true, } input: { console.log(JSON.stringify("COMPASS? Overpass.".match(new RegExp("(\[Sap\]+)", "ig")))); console.log(JSON.stringify("COMPASS? Overpass.".match(new RegExp("(pass)", "ig")))); } expect: { console.log(JSON.stringify("COMPASS? Overpass.".match(/(\[Sap\]+)/gi))); console.log(JSON.stringify("COMPASS? Overpass.".match(/(pass)/gi))); } expect\_stdout: '\["PASS","pass"\]' } @@ -44,10 +44,10 @@ unsafe\_slashes: { unsafe: true } input: { console.log(new RegExp("^https://")) console.log(new RegExp("^https//")) } expect: { console.log(/^https:\\/\\//) console.log(/^https\\/\\//) } } unsafe\_nul\_byte: { @@ -75,3 +75,16 @@ inline\_script: { } expect\_exact: '/\* <\\\\/script> \*/\\n/\[<\\\\/script>\]/;' }  
regexp\_no\_ddos: { options \= { unsafe: true, evaluate: true } input: { console.log(/(b+)b+/.test("bbb")) console.log(RegExp("(b+)b+").test("bbb")) } expect: { console.log(/(b+)b+/.test("bbb")) console.log(RegExp("(b+)b+").test("bbb")) } expect\_stdout: \["true", "true"\] }

CVE-2022-25858: fix potential regexp DDOS · terser/terser@a4da734

The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service (DoS) via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages.


**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#dos