Vulnerability Name:

CVE-2021-21254 (CCN-195986)

Assigned:2020-12-22
Published:2021-01-28
Updated:2022-08-09
Summary:CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0. The problem has been recognized and patched. The fix will be available in version 25.0.0.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-21254

Source: XF
Type: UNKNOWN
ckeditor5-cve202121254-dos(195986)

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/ckeditor/ckeditor5/releases/tag/v25.0.0

Source: CCN
Type: CKEditor 5 GIT Repository
Regular expression Denial of Service in Markdown plugin

Source: CONFIRM
Type: Third Party Advisory
https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-hgmg-hhc8-g5wr

Source: CCN
Type: NPM Web site
@ckeditor/ckeditor5-markdown-gfm

Source: MISC
Type: Release Notes, Third Party Advisory
https://www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-21254

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ckeditor:ckeditor5:*:*:*:*:*:*:*:* (Version < 25.0.0)

    • * Denotes that component is vulnerable
    BACK
    ckeditor ckeditor5 *