Published: 21/02/2020 Updated: 25/02/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

uap-core prior to 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote malicious users to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.

Vulnerability Trend

Vendor Advisories

Debian Bug report logs - #952649 uap-core: CVE-2020-5243 Package: src:uap-core; Maintainer for src:uap-core is Edward Betts <edward@4anglecom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 26 Feb 2020 20:54:02 UTC Severity: grave Tags: security, upstream Found in version uap-core/20190213-2 ...