CVE-2021-26272

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
ckeditorckeditor
4.0 ≤
𝑥
< 4.16
oracleagile_plm
9.3.5
oracleagile_plm
9.3.6
oracleapplication_express
𝑥
< 21.1.0
oraclebanking_party_management
2.7.0
oraclecommerce_merchandising
11.3.0 ≤
𝑥
≤ 11.3.2
oraclecommerce_merchandising
11.1.0
oraclecommerce_merchandising
11.2.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.6 ≤
𝑥
≤ 8.0.9
oraclefinancial_services_analytical_applications_infrastructure
8.1.0
oraclefinancial_services_analytical_applications_infrastructure
8.1.1
oraclefinancial_services_model_management_and_governance
8.0.8.0.0 ≤
𝑥
≤ 8.1.0.0.0
oraclejd_edwards_enterpriseone_tools
𝑥
< 9.2.6.0
oraclesiebel_ui_framework
𝑥
≤ 21.9
oraclewebcenter_sites
12.2.1.3.0
oraclewebcenter_sites
12.2.1.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ckeditor
bullseye
4.16.0+dfsg-2
fixed
buster
no-dsa
stretch
postponed
bookworm
4.19.1+dfsg-1
fixed
sid
4.22.1+dfsg1-2
fixed
trixie
4.22.1+dfsg1-2
fixed
ckeditor3
bookworm
3.6.6.1+dfsg-7
fixed
bullseye
3.6.6.1+dfsg-7
fixed
sid
3.6.6.1+dfsg-7
fixed
trixie
3.6.6.1+dfsg-7
fixed
buster
no-dsa
stretch
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ckeditor
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
Fixed 4.16.0+dfsg-2
released
hirsute
ignored
groovy
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html