Details of VAR-202302-0189

ID

VAR-202302-0189

CVE

CVE-2023-23925

TITLE

Switcher Client Inefficient Regular Expression Complexity Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-003356

DESCRIPTION

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround, avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations. Switcher Client contains an inefficient regular expression complexity vulnerability.Service operation interruption (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2023-23925 // JVNDB: JVNDB-2023-003356 // VULHUB: VHN-452487 // VULMON: CVE-2023-23925

AFFECTED PRODUCTS

vendor:	switcherapi	model:	switcher client	scope:	lt	version:	3.1.4	Trust: 1.0
vendor:	switcher api	model:	client	scope:	eq	version:	-	Trust: 0.8
vendor:	switcher api	model:	client	scope:	eq	version:	3.1.4	Trust: 0.8

sources: JVNDB: JVNDB-2023-003356 // NVD: CVE-2023-23925

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-23925
value:	HIGH
Trust: 1.0
security-advisories@github.com:	CVE-2023-23925
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-23925
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202302-276
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2023-23925
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2023-23925
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	4.7
version:	3.1
Trust: 1.0
NVD:	CVE-2023-23925
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-003356 // CNNVD: CNNVD-202302-276 // NVD: CVE-2023-23925 // NVD: CVE-2023-23925

PROBLEMTYPE DATA

problemtype:	CWE-400	Trust: 1.1
problemtype:	CWE-1333	Trust: 1.0
problemtype:	Inefficient regular expression complexity (CWE-1333) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-452487 // JVNDB: JVNDB-2023-003356 // NVD: CVE-2023-23925

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-276

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202302-276

PATCH

title:	v3.1.4 GitHub	url:	https://github.com/switcherapi/switcher-client-js/releases/tag/v3.1.4	Trust: 0.8
title:	switcher-client-master Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=225520	Trust: 0.6

sources: JVNDB: JVNDB-2023-003356 // CNNVD: CNNVD-202302-276

EXTERNAL IDS

db:	NVD	id:	CVE-2023-23925	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-003356	Trust: 0.8
db:	CNNVD	id:	CNNVD-202302-276	Trust: 0.6
db:	VULHUB	id:	VHN-452487	Trust: 0.1
db:	VULMON	id:	CVE-2023-23925	Trust: 0.1

sources: VULHUB: VHN-452487 // VULMON: CVE-2023-23925 // JVNDB: JVNDB-2023-003356 // CNNVD: CNNVD-202302-276 // NVD: CVE-2023-23925

REFERENCES

url:	https://github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4	Trust: 1.8
url:	https://github.com/switcherapi/switcher-client-master/security/advisories/ghsa-wqxw-8h5g-hq56	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-23925	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-23925/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/400.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/1333.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-452487 // VULMON: CVE-2023-23925 // JVNDB: JVNDB-2023-003356 // CNNVD: CNNVD-202302-276 // NVD: CVE-2023-23925

SOURCES

db:	VULHUB	id:	VHN-452487
db:	VULMON	id:	CVE-2023-23925
db:	JVNDB	id:	JVNDB-2023-003356
db:	CNNVD	id:	CNNVD-202302-276
db:	NVD	id:	CVE-2023-23925

LAST UPDATE DATE

2024-08-14T14:37:04.411000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-452487	date:	2023-02-15T00:00:00
db:	VULMON	id:	CVE-2023-23925	date:	2023-02-06T00:00:00
db:	JVNDB	id:	JVNDB-2023-003356	date:	2023-09-06T07:44:00
db:	CNNVD	id:	CNNVD-202302-276	date:	2023-02-16T00:00:00
db:	NVD	id:	CVE-2023-23925	date:	2023-11-07T04:08:06.150

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-452487	date:	2023-02-03T00:00:00
db:	VULMON	id:	CVE-2023-23925	date:	2023-02-03T00:00:00
db:	JVNDB	id:	JVNDB-2023-003356	date:	2023-09-06T00:00:00
db:	CNNVD	id:	CNNVD-202302-276	date:	2023-02-03T00:00:00
db:	NVD	id:	CVE-2023-23925	date:	2023-02-03T20:15:10.433