CVE-2021-27290

moderate-risk
Published 2021-03-12

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Do I need to act?

~
4.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (4)

Ssri

Affected Vendors

Oracle Siemens Ssri Project

References (10)

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Exploit https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
Exploit https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
Product https://npmjs.com
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
Patch https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Exploit https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
Exploit https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
Product https://npmjs.com
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
44
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 8/34 · Low
Exposure 10/34 · Low