Vulnerability Name:

CVE-2020-7754 (CCN-189917)

Assigned:2020-10-16
Published:2020-10-16
Updated:2020-10-27
Summary:This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-noinfo
CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-7754

Source: XF
Type: UNKNOWN
nodejs-npmuservalidate-dos(189917)

Source: CONFIRM
Type: Patch, Third Party Advisory
N/A

Source: CONFIRM
Type: Third Party Advisory
N/A

Source: CONFIRM
Type: Exploit, Third Party Advisory
N/A

Source: CCN
Type: SNYK-JS-NPMUSERVALIDATE-1019352
Regular Expression Denial of Service (ReDoS)

Source: CONFIRM
Type: Exploit, Third Party Advisory
N/A

Source: CCN
Type: IBM Security Bulletin 6412227 (App Connect Enterprise)
Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7754)

Source: CCN
Type: IBM Security Bulletin 6453115 (Cloud Pak for Security)
Cloud Pak for Security contains security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6575649 (Spectrum Discover)
Medium/low severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6988617 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Node.js

Source: CCN
Type: NPM Web site
npm-user-validate

Source: CCN
Type: WhiteSource Vulnerability Database
WS-2020-0180

Vulnerable Configuration:Configuration 1:
  • cpe:/a:npmjs:npm-user-validate:*:*:*:*:*:node.js:*:* (Version < 1.0.1)

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:11.0.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20210548
    P
    		RHSA-2021:0548: nodejs:10 security update (Moderate)
    2021-02-16
    oval:com.redhat.rhsa:def:20210549
    P
    		RHSA-2021:0549: nodejs:12 security update (Moderate)
    2021-02-16
    oval:com.redhat.rhsa:def:20210551
    P
    		RHSA-2021:0551: nodejs:14 security and bug fix update (Moderate)
    2021-02-16
    BACK
    npmjs npm-user-validate *
    nodejs node.js *
    ibm infosphere information server 11.7
    ibm integration bus 10.0.0
    ibm app connect 11
    ibm app connect 11.0.0.0
    ibm app connect enterprise 11.0.0.10
    ibm cloud pak for security 1.4.0.0
    ibm cloud pak for security 1.6.0.0
    ibm cloud pak for security 1.5.0.1
    ibm cloud pak for security 1.5.0.0
    ibm cloud pak for security 1.6.0.1