codemirror codemirror CVE-2020-7760 in Codemirror and Oracle Products
Published on October 30, 2020

Regular Expression Denial of Service (ReDoS)

product logo product logo
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*

Vendor Advisory NVD

Vulnerability Analysis

CVE-2020-7760 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
LOW

Products Associated with CVE-2020-7760

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-7760 are published in these products:

Codemirror
 
Oracle Application Express
 
Oracle Essbase
 
Oracle Enterprise Manager Express User Interface
 
Oracle Hyperion Data Relationship Management
 
Oracle Spatial Studio
 
Oracle
 

Exploit Probability

EPSS
0.34%
Percentile
56.29%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.