CVE-2021-32723

CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 41.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prismjs Prism Oracle Application Express

Timeline

PublishedJun 28

Latest updateJan 15

Description

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:HExploitability: 2.8 | Impact: 4.0

Affected Packages4 packages

▶npmprismjs< 1.24.0

▶CVEListV5prismjs/prism< 1.24

▶NVDprismjs/prism< 1.24.0

▶NVDoracle/application_express< 21.1.4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

CVEList

Regular Expression Denial of Service (ReDoS) in Prism↗2021-06-28

▶

OSV

Regular Expression Denial of Service (ReDoS) in Prism↗2021-06-28

▶

GHSA

Regular Expression Denial of Service (ReDoS) in Prism↗2021-06-28

▶

OSV

CVE-2021-32723: Prism is a syntax highlighting library↗2021-06-28

▶

📋Vendor Advisories

Oracle

Oracle Oracle Database Server Risk Matrix: Oracle Application Express (Prism) — CVE-2021-32723↗2022-01-15

▶

Red Hat

npm-prismjs: a malicious (long) string will take a long time to highlight may result in ReDoS↗2021-06-28

▶