chore(deps): update dependency ua-parser-js to v0.7.24 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
ua-parser-js (source)	0.7.20 → 0.7.24

---

Regular Expression Denial of Service (ReDoS) in ua-parser-js

CVE-2021-27292 / GHSA-78cj-fxph-m83p

More information

Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-27292
• https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
• https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
• https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
• https://github.com/advisories/GHSA-78cj-fxph-m83p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

ua-parser-js Regular Expression Denial of Service vulnerability

CVE-2020-7793 / GHSA-394c-5j6w-4xmx

More information

Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-7793
• https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387
• https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
• https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
• https://github.com/advisories/GHSA-394c-5j6w-4xmx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Regular Expression Denial of Service in ua-parser-js

CVE-2020-7733 / GHSA-662x-fhqg-9p8v

More information

Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-7733
• https://github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557d
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665
• https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://github.com/advisories/GHSA-662x-fhqg-9p8v

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

faisalman/ua-parser-js (ua-parser-js)

v0.7.24

Compare Source

v0.7.23

Compare Source

v0.7.22

Compare Source

v0.7.21

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.