CVE-2020-7760

CWE-400 — Uncontrolled Resource Consumption17 documents8 sources

Severity

7.5HIGH

EPSS

0.3%

top 43.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Codemirror Codemirror Oracle Application Express Oracle Hyperion Data Relationship Management +3 more

Timeline

PublishedOct 30

Latest updateJan 15

Description

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages10 packages

▶CVEListV5org.apache.marmotta.webjars:codemirrorunspecified — 5.58.2

▶CVEListV5codemirrorunspecified — 5.58.2

▶npmcodemirror< 5.58.2

▶NVDcodemirror/codemirror< 5.58.2

▶Debiancodemirror-js< 5.58.2+~cs0.23.101-1+3

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Regular expression denial of service in codemirror↗2021-05-10

▶

GHSA

Regular expression denial of service in codemirror↗2021-05-10

▶

CVEList

Regular Expression Denial of Service (ReDoS)↗2020-10-30

▶

OSV

CVE-2020-7760: This affects the package codemirror before 5↗2020-10-30

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Content Storage Service (CodeMirror) — CVE-2020-7760↗2025-01-15

▶

Oracle

Oracle Oracle Utilities Applications Risk Matrix: User Interface (CodeMirror) — CVE-2020-7760↗2024-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Diameter Custom Application (CodeMirror) — CVE-2020-7760↗2023-10-15

▶

Oracle

Oracle Oracle Siebel CRM Risk Matrix: UI Framework (CodeMirror) — CVE-2020-7760↗2023-07-15

▶

Oracle

Oracle Oracle Hyperion Risk Matrix: Web Client - Unicode (CodeMirror) — CVE-2020-7760↗2022-04-15

▶

💬Community

Bugzilla

CVE-2020-7760 codemirror: ReDoS in tokenBase function in javascript.js↗2020-10-30

▶

Bugzilla

CVE-2020-7760 nodejs-codemirror: codemirror: ReDoS in tokenBase function in javascript.js [epel-all]↗2020-10-30

▶

Bugzilla

CVE-2020-7760 nodejs-codemirror: codemirror: ReDoS in tokenBase function in javascript.js [fedora-all]↗2020-10-30

▶