VYPR
Unrated severityNVD Advisory· Published Aug 18, 2021· Updated Aug 3, 2024

regex injection leading to DoS

CVE-2021-33580

Description

User controlled request.getHeader("Referer"), request.getRequestURL() and request.getQueryString() are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Apache/Rollerllm-fuzzy
    Range: <6.0.2
  • Apache Software Foundation/Apache Rollerv5
    Range: Apache Roller

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.