CVE-2019-16215

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
VendorProductVersion
zulipzulip_server
𝑥
< 2.0.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.zulip.org/2019/09/11/zulip-server-2-0-5-security-release/
https://github.com/zulip/zulip/commit/5797f013b3be450c146a4141514bda525f2f1b51
https://blog.zulip.org/2019/09/11/zulip-server-2-0-5-security-release/
https://github.com/zulip/zulip/commit/5797f013b3be450c146a4141514bda525f2f1b51