GHSL-2020-289: ReDoS Vulnerability in insane Library (CVE-2020-26303)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID and Name: - Vulnerability ID: GHSL-2020-289 - Vulnerability Name: Regular Expression Denial of Service (ReDoS) in insane - CVE-2020-26303 2. Report Date: - July 13, 2021 3. Reporter: - Erik Krogh Kristensen 4. Coordinated Disclosure Timeline: - November 30, 2020: Security contact requested - March 2, 2021: Deadline expired - July 13, 2021: Published according to GitHub SecLab disclosure policy 5. Vulnerability Description: - The project contains one or more regular expressions vulnerable to ReDoS (Regular Expression Denial of Service) attacks. 6. Affected Product: - insane 7. Tested Version: - Latest commit date: November 30, 2020 8. Vulnerability Details: - ReDoS is an attack that affects poorly constructed and potentially inefficient regular expressions, which may perform very poorly when given a creatively crafted input string. - ReDoS can be triggered by ambiguities or overlaps within regular expressions. Such poorly performing regex patterns can become security issues if user input is controllable. - General remediation for ReDoS involves removing ambiguities/overlaps in the regular expressions. 9. Example Code: - Example regular expressions and their remediation methods. 10. Exploitation: - Triggering the vulnerability by installing and running a script containing a malicious payload. 11. Impact: - May lead to denial of service. 12. CVE Number: - CVE-2020-26303 13. Credit: - The vulnerability was discovered and reported by GitHub team member Erik Krogh Kristensen. 14. Contact Information: - Contact GHSL team at securitylab@github.com, including reference GHSL-2020-289 in communications. This information provides a detailed description of the vulnerability, including its nature, impact, and remediation methods.

Goal Reached Thanks to every supporter — we hit 100%!

GHSL-2020-289: ReDoS Vulnerability in insane Library (CVE-2020-26303)