CVE: CVE-2021-21317

Export to Word

uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.

Threat-Mapped Scoring

Score: 1.9

Priority: P3 - Important (Medium)

S9 – Sabotage of System/App
S10 – Denial of Service (+0.1 bonus)

EPSS

Score: 0.01481
Percentile: 0.80135

CVSS Scoring

CVSS v3.1 Score: 5.3

Severity: MEDIUM

Mapped CWE(s)

CWE-1333 : Inefficient Regular Expression Complexity
CWE-400 : Uncontrolled Resource Consumption

All CAPEC(s)

CAPEC-147: XML Ping of the Death
CAPEC-227: Sustained Client Engagement
CAPEC-492: Regular Expression Exponential Blowup

CAPEC(s) with Mapped TTPs

CAPEC-227: Sustained Client Engagement
Mapped TTPs:
- T1499 : Endpoint Denial of Service

Mapped ATT&CK TTPs

T1499 : Endpoint Denial of Service
Kill Chain: impact

Malware

APTs Threat Group Associations

Sandworm Team

Campaigns

Affected Products

cpe:2.3:a:uap-core_project:uap-core:*:*:*:*:*:node.js:*:*

← Back to Home