CVE-2023-26112

Advisory

The configobj package affected versions contains a Regular Expression Denial of Service (ReDoS) vulnerability in its validate function. The vulnerable regex (.+?)\((.*)\) allows attackers to cause denial of service using specially crafted input with nested parentheses. This issue primarily affects server-side applications using configobj for configuration parsing. The vulnerability is patched by modifying the regex to ([^\(\)]+?)\((.*)\), preventing matching of nested parentheses.
NOTE: This is only exploitable in the case of a developer putting the offending value in a server side configuration file.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. See CVE-2023-26112.


MISC:https://github.com/DiffSK/configobj/issues/232: https://github.com/DiffSK/configobj/issues/232
MISC:https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494: https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494

Resources

• https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5
• https://github.com/DiffSK/configobj/pull/236
• https://github.com/DiffSK/configobj/issues/232
• https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26112
• https://lists.fedoraproject.org/archives/list/[email protected]/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/6BO4RLMYEJODCNUE3DJIIUUFVTPAG6VN/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/