Regular Expression Denial of Service (ReDoS) Affecting ifax/hylafax package, versions [,4.2.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.45% (76th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Regular Expression Denial of Service (ReDoS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UNMANAGED-IFAXHYLAFAX-2364994
  • published26 Jan 2022
  • disclosed31 Dec 2004
  • creditUnknown

Introduced: 31 Dec 2004

CVE-2004-1182  (opens in a new tab)
CWE-1333  (opens in a new tab)

How to fix?

Upgrade ifax/hylafax to version 4.2.1 or higher.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) hfaxd in HylaFAX before 4.2.1, when installed with a "weak" hosts.hfaxd file, allows remote attackers to authenticate and bypass intended access restrictions via a crafted (1) username or (2) hostname that satisfies a regular expression that is matched against a hosts.hfaxd entry without a password.

CVSS Base Scores

version 3.1