CVE-2022-41715

Public on 2022-10-14
Modified on 2024-01-12
Description

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

Severity
Medium
See what this means
CVSS v3 Base Score
6.2
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core golang 2022-12-01 20:31 ALAS2-2022-1887
Amazon Linux 2 - Golang1.19 Extra golang 2023-08-07 05:59 ALAS2GOLANG1.19-2023-002
Amazon Linux 2023 golang 2023-02-17 20:45 ALAS2023-2023-048
Amazon Linux 2 - Core golist 2023-01-18 00:17 ALAS2-2023-1913
Amazon Linux 2023 golist 2023-02-17 20:45 ALAS2023-2023-046

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2022-41715 Mitre: CVE-2022-41715 FAQs regarding Amazon Linux ALAS/CVE Severity