CVE-2020-5243

Summary

uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.

Affected Software

VendorProductVersion RangeStatus
ua-parseruap-core< 0.7.3affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

References