CVE Vulnerability

CVE-2022-31099

rulex is a new, portable, regular expression language. When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately. This is a security concern for you, if your service parses untrusted rulex expressions (expressions provided by an untrusted user), and your service becomes unavailable when the process running rulex aborts due to a stack overflow. The crash is fixed in version **0.4.3**. Affected users are advised to update to this version. There are no known workarounds for this issue.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/rulex-rs/rulex/security/advisories/GHSA-v78m-2q7v-fjqp Third Party Advisory
https://github.com/rulex-rs/rulex/commit/60aa2dc03a22d69c8800fec81f99c96958a11363 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:pomsky-lang:pomsky:*:*:*:*:*:rust:*:*
Information

Published : 2022-06-27 11:15

Updated : 2022-07-11 02:26

NVD link : CVE-2022-31099

Mitre link : CVE-2022-31099

Products Affected
No products.
CWE
CWE-674

Uncontrolled Recursion