CVE-2023-26112: configobj ReDoS exploitable by developer using values in a server-side configuration file

April 3, 2023 (updated April 4, 2023)

All versions of the package configobj is vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.*)). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

References

github.com/DiffSK/configobj/issues/232
github.com/advisories/GHSA-c33w-24p9-8m24
nvd.nist.gov/vuln/detail/CVE-2023-26112
security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494

Detect and mitigate CVE-2023-26112 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →