CVE-2020-5243

NameCVE-2020-5243
Descriptionuap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs952649

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
uap-core (PTS)buster20190213-2vulnerable
bullseye1:0.12.0-1fixed
bookworm1:0.16.0-1fixed
sid1:0.18.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
uap-coresource(unstable)1:0.8.0-1952649

Notes

[buster] - uap-core <no-dsa> (Minor issue)
https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
https://github.com/ua-parser/uap-core/commit/a679b131697e7371f0441f4799940779efa2f27e
https://github.com/ua-parser/uap-core/commit/dd279cff09546dbd4174bd05d29c0e90c2cffa7c
https://github.com/ua-parser/uap-core/commit/7d92a383440c9742ec878273c90a4dcf8446f9af
https://github.com/ua-parser/uap-core/commit/e9a1c74dae9ecd4aa6385bd34ef6c7243f89b537
Search for package or bug name: Reporting problems