CVE-2023-32758

CVSS V2 None CVSS V3 None

Description

giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep through 1.21.0, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.

Overview

CVE ID
CVE-2023-32758

Assigner
cve@mitre.org

Vulnerability Status
Received

Published Version
2023-05-15T04:15:10

Last Modified Date
2023-05-15T04:15:10

References

Reference URL	Reference Tags
https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53
https://github.com/returntocorp/semgrep/pull/7611
https://pypi.org/project/git-url-parse

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-32758
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32758

History

Created	Old Value	New Value	Data Type	Notes
2023-05-15 05:00:25				Added to TrackCVE