UBUNTU-CVE-2024-21490

Details

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. Note: This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.

Affected Packages

angular.js

Ubuntu Pro 18.04 LTSUbuntu 18.04 LTS

Affected versions:

1.5.10-1

angular.js

Ubuntu Pro 20.04 LTSUbuntu 20.04 LTS

Affected versions:

1.5.10-11.7.9-1

angular.js

Ubuntu 22.04 LTS

Affected versions:

1.8.2-2

angular.js

Ubuntu 24.04 LTSUbuntu 25.04

Affected versions:

1.8.3-1

References

REPORThttps://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113 REPORThttps://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos REPORThttps://ubuntu.com/security/CVE-2024-21490 REPORThttps://www.cve.org/CVERecord?id=CVE-2024-21490

UBUNTU-CVE-2024-21490

Details

Affected Packages

References

CVSS Analysis

Upstream

Ecosystems(7)

Timeline