Rapid7 Vulnerability & Exploit Database

Red Hat JBossEAP: Inefficient Regular Expression Complexity (CVE-2024-45296)

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

Red Hat JBossEAP: Inefficient Regular Expression Complexity (CVE-2024-45296)

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
09/09/2024
Created
09/20/2024
Added
09/19/2024
Modified
09/20/2024

Description

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.. A flaw was found in path-to-regexp package, where it turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single-threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a denial of service (DoS).

Solution(s)

  • red-hat-jboss-eap-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;