CVE-2023-32758 - Vulnerability Details - OpenCVE

giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Coala	Git-url-parse
Semgrep	Semgrep

Configuration 1 [-]

AND

cpe:2.3:a:coala:git-url-parse:*:*:*:*:*:*:*:*

cpe:2.3:a:semgrep:semgrep:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53
https://github.com/returntocorp/semgrep/pull/7611
https://github.com/returntocorp/semgrep/pull/7943
https://github.com/returntocorp/semgrep/pull/7955
https://pypi.org/project/git-url-parse

History

Thu, 23 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-05-15T00:00:00.000Z

Updated: 2025-01-23T19:38:56.258Z

Reserved: 2023-05-15T00:00:00.000Z

Link: CVE-2023-32758

Vulnrichment

Updated: 2024-08-02T15:25:37.050Z

NVD

Status : Modified

Published: 2023-05-15T04:15:10.330

Modified: 2025-01-23T20:15:30.073

Link: CVE-2023-32758

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-32758", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-01-23T19:38:56.258Z", "dateReserved": "2023-05-15T00:00:00.000Z", "datePublished": "2023-05-15T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-06-09T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53"}, {"url": "https://pypi.org/project/git-url-parse"}, {"url": "https://github.com/returntocorp/semgrep/pull/7611"}, {"url": "https://github.com/returntocorp/semgrep/pull/7955"}, {"url": "https://github.com/returntocorp/semgrep/pull/7943"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:37.050Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53", "tags": ["x_transferred"]}, {"url": "https://pypi.org/project/git-url-parse", "tags": ["x_transferred"]}, {"url": "https://github.com/returntocorp/semgrep/pull/7611", "tags": ["x_transferred"]}, {"url": "https://github.com/returntocorp/semgrep/pull/7955", "tags": ["x_transferred"]}, {"url": "https://github.com/returntocorp/semgrep/pull/7943", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1333", "lang": "en", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-23T19:35:33.714679Z", "id": "CVE-2023-32758", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-23T19:38:56.258Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53", "tags": ["x_transferred"]}, {"url": "https://pypi.org/project/git-url-parse", "tags": ["x_transferred"]}, {"url": "https://github.com/returntocorp/semgrep/pull/7611", "tags": ["x_transferred"]}, {"url": "https://github.com/returntocorp/semgrep/pull/7955", "tags": ["x_transferred"]}, {"url": "https://github.com/returntocorp/semgrep/pull/7943", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:37.050Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-32758", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-23T19:35:33.714679Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-23T19:36:53.891Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53"}, {"url": "https://pypi.org/project/git-url-parse"}, {"url": "https://github.com/returntocorp/semgrep/pull/7611"}, {"url": "https://github.com/returntocorp/semgrep/pull/7955"}, {"url": "https://github.com/returntocorp/semgrep/pull/7943"}], "descriptions": [{"lang": "en", "value": "giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-06-09T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-32758", "state": "PUBLISHED", "dateUpdated": "2025-01-23T19:38:56.258Z", "dateReserved": "2023-05-15T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-05-15T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coala:git-url-parse:*:*:*:*:*:*:*:*", "matchCriteriaId": "83D06CC5-06FA-4F72-BE31-F35ECB2A284F", "versionEndIncluding": "1.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:semgrep:semgrep:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CC52CD5-31F0-4CC6-BB04-04DDB331AD42", "versionEndIncluding": "1.21.0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package."}], "id": "CVE-2023-32758", "lastModified": "2025-01-23T20:15:30.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-05-15T04:15:10.330", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/returntocorp/semgrep/pull/7611"}, {"source": "cve@mitre.org", "url": "https://github.com/returntocorp/semgrep/pull/7943"}, {"source": "cve@mitre.org", "url": "https://github.com/returntocorp/semgrep/pull/7955"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://pypi.org/project/git-url-parse"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/returntocorp/semgrep/pull/7611"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/returntocorp/semgrep/pull/7943"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/returntocorp/semgrep/pull/7955"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://pypi.org/project/git-url-parse"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}