Skip to content

happy0717/CVE-2023-27704

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2023-27704

CVE-2023-27704 Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS)

fix at Everything 1.5 alpha

image

[Suggested description] Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS).


[Additional Information] I put the detailed reproduction process in this link: https://drive.google.com/drive/folders/1BmHAGSugrFo0whDEmg6nnbaOkvE21X-p?usp=sharing


[VulnerabilityType Other] Regular expression Denial of Service


[Vendor of Product] https://www.voidtools.com/


[Affected Product Code Base] Everything - lower than 1.4.1.1022 (x64)


[Affected Component] Everything installed version lower than 1.4.1.1022 (x64)


[Attack Type] Local


[Impact Denial of Service] true


[Attack Vectors] I discovered a ReDos vulnerability in everything Version 1.4.1.1015 (x64)

The ReDos vulnerability trigger is roughly like this,"^([\w]+)+$"

Recurrence process: 1.Enable the regex function of everything

2.Insert regex statements that can lead to ReDos in the search box

Then you can see in the task manager that the CPU usage is very high can reach more than 90%, and everything is not responding

I put the detailed reproduction process in this link: https://drive.google.com/drive/folders/1BmHAGSugrFo0whDEmg6nnbaOkvE21X-p?usp=sharing


[Reference] https://drive.google.com/drive/folders/1BmHAGSugrFo0whDEmg6nnbaOkvE21X-p?usp=sharing https://www.voidtools.com/en-us/downloads/


[Discoverer] happy0717

About

CVE-2023-27704 Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published