Miggo Logo
Miggo Vulnerability Database
CVE-2023-26112

CVE-2023-26112: configobj ReDoS exploitable by developer using values in a server-side configuration file

3.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26112
GHSA ID
GHSA-c33w-24p9-8m24
EPSS Score
0.20242%
CWE
CWE-1333
Published
4/3/2023
Updated
12/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
configobjpip< 5.0.95.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the _func_re regex in Validator class was patched to prevent ReDoS. The test_re_dos() in test_validate_errors.py demonstrates exploitation via val.check(), confirming the check method processes attacker-controlled input using the vulnerable regex. The CVE description explicitly ties the vulnerability to the validate function's regex parsing, which is implemented in Validator's validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** *on*i*o*j *r* vuln*r**l* to R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) vi* t** v*li**t* *un*tion, usin* (.+?)\((.*)\). **Not*:** T*is is only *xploit**l* in t** **s* o* * **v*lop*r, puttin* t** o***n*in* v*lu* in * s*rv*

Reasoning

T** *ommit *i** s*ows t** _*un*_r* r***x in V*li**tor *l*ss w*s p*t**** to pr*v*nt R**oS. T** t*st_r*_*os() in t*st_v*li**t*_*rrors.py **monstr*t*s *xploit*tion vi* v*l.****k(), *on*irmin* t** ****k m*t*o* pro**ss*s *tt**k*r-*ontroll** input usin* t*