Miggo Logo

CVE-2021-42248: Duplicate Advisory: ReDoS via crafted JSON input in GJSON

7.5

CVSS Score
3.1

Basic Information

EPSS Score
-
Published
5/25/2022
Updated
5/3/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/tidwall/gjsongo< 1.9.31.9.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using tidwall/match's Match function without complexity limits in three key areas: 1) The core match.Match function itself from the dependency 2) The queryMatches function handling %/!% operators 3) The parseObject function processing wildcard paths. The patch replaced these with matchLimit which adds step constraints. The high confidence comes from explicit patch changes showing replacement of Match with MatchLimit in these locations, and CWE-1333's direct relation to regex complexity issues.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* **S*-ppj*-**rq-v*j*. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription *JSON <= *.*.* *llows *tt**k*rs to **us* * r**os vi* *r**t** JS

Reasoning

T** vuln*r**ility st*mm** *rom usin* `ti*w*ll/m*t**`'s `M*t**` *un*tion wit*out *ompl*xity limits in t*r** k*y *r**s: *) T** *or* `m*t**.M*t**` *un*tion its*l* *rom t** **p*n**n*y *) T** `qu*ryM*t***s` *un*tion **n*lin* %/!% op*r*tors *) T** `p*rs*O*