CVE-2021-26271

EUVD-2022-4431
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
ckeditorckeditor
4.0 ≤
𝑥
< 4.16
oracleagile_plm
9.3.5
oracleagile_plm
9.3.6
oracleapplication_express
𝑥
< 21.1.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.6 ≤
𝑥
≤ 8.0.9
oraclefinancial_services_analytical_applications_infrastructure
8.1.0
oraclefinancial_services_analytical_applications_infrastructure
8.1.1
oraclejd_edwards_enterpriseone_tools
𝑥
< 9.2.6.0
oraclesiebel_ui_framework
𝑥
< 21.9
oraclewebcenter_sites
12.2.1.3.0
oraclewebcenter_sites
12.2.1.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ckeditor
bookworm
4.19.1+dfsg-1
no-dsa
bullseye
4.16.0+dfsg-2
no-dsa
buster
no-dsa
sid
4.22.1+dfsg1-2
fixed
stretch
postponed
trixie
4.22.1+dfsg1-2
fixed
ckeditor3
bookworm
no-dsa
bullseye
no-dsa
buster
no-dsa
sid
vulnerable
stretch
postponed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ckeditor
bionic
needs-triage
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
Fixed 4.16.0+dfsg-2
released
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html