CVE-2023-26112: configobj ReDoS exploitable by developer using values in a server-side configuration file
(updated )
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.*)). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
References
- github.com/DiffSK/configobj
- github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5
- github.com/DiffSK/configobj/issues/232
- github.com/advisories/GHSA-c33w-24p9-8m24
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BO4RLMYEJODCNUE3DJIIUUFVTPAG6VN
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK
- nvd.nist.gov/vuln/detail/CVE-2023-26112
- pypi.org/project/configobj/5.0.9
- security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494
Detect and mitigate CVE-2023-26112 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →