CVE-2020-7760 - Denial of Service (DoS)

Severity: Low2022-10-13

Security Advisories

Abstract

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*

The Oxygen products incorporate codemirror as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author v24.1 and olderLow Oxygen XML Web Author 25.0 build 2022100711
Oxygen Content Fusion v5.0 and olderLow N/A

Mitigation

None

Detail

CVE-2020-7760

Severity: High

CVSS Score: 7.5

The codemirror third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-7760 vulnerability description. However, Oxygen products does not load the vulnerable file (javascript.js). For that reason, we have rated the severity level for our products as Low.

Starting with Oxygen XML Web Author v25.0 codemirror library was updated to v5.65.8 which fixes this vulnerability.

List of Security Advisories