configobj ReDoS exploitable by developer using values in a server-side configuration file
Low severity
GitHub Reviewed
Published
Apr 3, 2023
to the GitHub Advisory Database
•
Updated Nov 12, 2023
Description
Published by the National Vulnerability Database
Apr 3, 2023
Published to the GitHub Advisory Database
Apr 3, 2023
Reviewed
Apr 4, 2023
Last updated
Nov 12, 2023
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.*)). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
References