Vulnerability Name:

CVE-2022-25844 (CCN-225115)

Assigned:2022-04-21
Published:2022-04-21
Updated:2022-11-16
Summary:The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. *
Note: *1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-770
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-25844

Source: XF
Type: UNKNOWN
nodejs-cve202225844-dos(225115)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-e016e6f445

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-edf635cf39

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220629-0009/

Source: CCN
Type: SNYK-JS-ANGULAR-2772735
Regular Expression Denial of Service (ReDoS)

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735

Source: MISC
Type: Exploit, Third Party Advisory
https://stackblitz.com/edit/angularjs-material-blank-zvtdvb

Source: CCN
Type: IBM Security Bulletin 6964174 (Sterling Control Center)
IBM Sterling Control Center is vulnerable to denial of service due to Node.js Angular (CVE-2022-25844)

Source: CCN
Type: NPM Web site
angular

Vulnerable Configuration:Configuration 1:
  • cpe:/a:angularjs:angular:*:*:*:*:*:node.js:*:* (Version >= 1.7.0

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*

    • * Denotes that component is vulnerable
    BACK
    angularjs angular *
    fedoraproject fedora 35
    fedoraproject fedora 36
    netapp ontap select deploy administration utility -
    nodejs node.js *