{
  "schema_version": "1.4.0",
  "id": "GHSA-x9w7-f6x8-r9xh",
  "modified": "2022-05-24T19:11:35Z",
  "published": "2022-05-24T19:11:35Z",
  "aliases": [
    "CVE-2021-33580"
  ],
  "details": "User controlled `request.getHeader(\"Referer\")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.",
  "severity": [],
  "affected": [],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33580"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9d967d80af941717573e531db2c7353a90bfd0886e9b5d5d79f75506%40%3Cuser.roller.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/08/18/1"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-18T08:15:00Z"
  }
}