Skip to content

Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service.

Moderate
karussell published GHSA-hf44-3mx6-vhhw May 11, 2021

Package

maven graphhopper-nav (Maven)

Affected versions

2.0,2.1,2.2,2.3

Patched versions

2.4

Description

Impact

The regex injection that may lead to Denial of Service.

Patches

Will be patched in 2.4 and 3.0

Workarounds

Versions lower than 2.x are only affected if the navigation module is added

References

See this pull request for the fix: #2304

If you have any questions or comments about this advisory please send us an Email or create a topic here.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2021-29506

Weaknesses

No CWEs