Directory Security Advisories

Security Advisories

CGA-69jr-f6mf-38rf

Published

Last updated

https://images.chainguard.dev/security/CGA-69jr-f6mf-38rf

Package

kubeflow-pipelines

Latest Update

Fixed

Fixed Version

2.2.0-r9

Aliases

Severity

7.5

High

CVSS V3

Summary

fast-xml-parser vulnerable to ReDOS at currency parsing

Description

Summary

A ReDOS that exists on currency.js was discovered by Gauss Security Labs R&D team.

Details

https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.4.0/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex

PoC

pass the following string '\t'.repeat(13337) + '.'

Impact

Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library

https://gauss-security.com

References

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

© 2024 Chainguard. All Rights Reserved.

Product

Chainguard Images

Why Chainguard

Container Image Security Vulnerability Remediation Compliance and Risk Mitigation Software Supply Chain Security AI/ML Security

Customers

Customer Stories Chainguard Love

Company

About Us Pricing Open Source Careers Newsroom Legal

Resources

Unchained Blog Events Trust Center Documentation