Vulnerability Details CVE-2021-26272
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.6%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.3
References
- https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2021-26272
-
cpe:2.3:a:ckeditor:ckeditor:4.0
-
cpe:2.3:a:ckeditor:ckeditor:4.0.1
-
cpe:2.3:a:ckeditor:ckeditor:4.0.1.1
-
cpe:2.3:a:ckeditor:ckeditor:4.0.2
-
cpe:2.3:a:ckeditor:ckeditor:4.0.3
-
cpe:2.3:a:ckeditor:ckeditor:4.1
-
cpe:2.3:a:ckeditor:ckeditor:4.1.1
-
cpe:2.3:a:ckeditor:ckeditor:4.1.2
-
cpe:2.3:a:ckeditor:ckeditor:4.1.3
-
cpe:2.3:a:ckeditor:ckeditor:4.10.0
-
cpe:2.3:a:ckeditor:ckeditor:4.10.1
-
cpe:2.3:a:ckeditor:ckeditor:4.11.0
-
cpe:2.3:a:ckeditor:ckeditor:4.11.1
-
cpe:2.3:a:ckeditor:ckeditor:4.11.2
-
cpe:2.3:a:ckeditor:ckeditor:4.11.3
-
cpe:2.3:a:ckeditor:ckeditor:4.11.4
-
cpe:2.3:a:ckeditor:ckeditor:4.13.0
-
cpe:2.3:a:ckeditor:ckeditor:4.13.1
-
cpe:2.3:a:ckeditor:ckeditor:4.14
-
cpe:2.3:a:ckeditor:ckeditor:4.14.0
-
cpe:2.3:a:ckeditor:ckeditor:4.14.1
-
cpe:2.3:a:ckeditor:ckeditor:4.15.0
-
cpe:2.3:a:ckeditor:ckeditor:4.15.1
-
cpe:2.3:a:ckeditor:ckeditor:4.2
-
cpe:2.3:a:ckeditor:ckeditor:4.2.1
-
cpe:2.3:a:ckeditor:ckeditor:4.2.2
-
cpe:2.3:a:ckeditor:ckeditor:4.2.3
-
cpe:2.3:a:ckeditor:ckeditor:4.3.0
-
cpe:2.3:a:ckeditor:ckeditor:4.3.1
-
cpe:2.3:a:ckeditor:ckeditor:4.3.2
-
cpe:2.3:a:ckeditor:ckeditor:4.3.3
-
cpe:2.3:a:ckeditor:ckeditor:4.3.4
-
cpe:2.3:a:ckeditor:ckeditor:4.3.5
-
cpe:2.3:a:ckeditor:ckeditor:4.4.0
-
cpe:2.3:a:ckeditor:ckeditor:4.4.1
-
cpe:2.3:a:ckeditor:ckeditor:4.4.2
-
cpe:2.3:a:ckeditor:ckeditor:4.4.3
-
cpe:2.3:a:ckeditor:ckeditor:4.4.4
-
cpe:2.3:a:ckeditor:ckeditor:4.4.5
-
cpe:2.3:a:ckeditor:ckeditor:4.4.6
-
cpe:2.3:a:ckeditor:ckeditor:4.4.7
-
cpe:2.3:a:ckeditor:ckeditor:4.4.8
-
cpe:2.3:a:ckeditor:ckeditor:4.5.0
-
cpe:2.3:a:ckeditor:ckeditor:4.5.1
-
cpe:2.3:a:ckeditor:ckeditor:4.5.10
-
cpe:2.3:a:ckeditor:ckeditor:4.5.11
-
cpe:2.3:a:ckeditor:ckeditor:4.5.2
-
cpe:2.3:a:ckeditor:ckeditor:4.5.3
-
cpe:2.3:a:ckeditor:ckeditor:4.5.4
-
cpe:2.3:a:ckeditor:ckeditor:4.5.5
-
cpe:2.3:a:ckeditor:ckeditor:4.5.6
-
cpe:2.3:a:ckeditor:ckeditor:4.5.7
-
cpe:2.3:a:ckeditor:ckeditor:4.5.8
-
cpe:2.3:a:ckeditor:ckeditor:4.5.9
-
cpe:2.3:a:ckeditor:ckeditor:4.6.0
-
cpe:2.3:a:ckeditor:ckeditor:4.6.1
-
cpe:2.3:a:ckeditor:ckeditor:4.6.2
-
cpe:2.3:a:ckeditor:ckeditor:4.7.0
-
cpe:2.3:a:ckeditor:ckeditor:4.7.1
-
cpe:2.3:a:ckeditor:ckeditor:4.7.2
-
cpe:2.3:a:ckeditor:ckeditor:4.7.3
-
cpe:2.3:a:ckeditor:ckeditor:4.8.0
-
cpe:2.3:a:ckeditor:ckeditor:4.9.0
-
cpe:2.3:a:ckeditor:ckeditor:4.9.1
-
cpe:2.3:a:ckeditor:ckeditor:4.9.2
-
cpe:2.3:a:oracle:agile_plm:9.3.5
-
cpe:2.3:a:oracle:agile_plm:9.3.6
-
cpe:2.3:a:oracle:application_express:-
-
cpe:2.3:a:oracle:application_express:18.2
-
cpe:2.3:a:oracle:application_express:19.1
-
cpe:2.3:a:oracle:application_express:19.2
-
cpe:2.3:a:oracle:application_express:20.1
-
cpe:2.3:a:oracle:application_express:20.2
-
cpe:2.3:a:oracle:application_express:3.0
-
cpe:2.3:a:oracle:application_express:3.1
-
cpe:2.3:a:oracle:application_express:3.2
-
cpe:2.3:a:oracle:application_express:4.0
-
cpe:2.3:a:oracle:application_express:4.1
-
cpe:2.3:a:oracle:application_express:4.2
-
cpe:2.3:a:oracle:application_express:5.0
-
cpe:2.3:a:oracle:application_express:5.0.4
-
cpe:2.3:a:oracle:application_express:5.1.0
-
cpe:2.3:a:oracle:application_express:5.1.1
-
cpe:2.3:a:oracle:application_express:5.1.2
-
cpe:2.3:a:oracle:application_express:5.1.2.00.09
-
cpe:2.3:a:oracle:application_express:5.1.3
-
cpe:2.3:a:oracle:application_express:5.1.3.00.05
-
cpe:2.3:a:oracle:application_express:5.1.4
-
cpe:2.3:a:oracle:application_express:5.1.4.00.08
-
cpe:2.3:a:oracle:banking_party_management:2.7.0
-
cpe:2.3:a:oracle:commerce_merchandising:11.1.0
-
cpe:2.3:a:oracle:commerce_merchandising:11.2.0
-
cpe:2.3:a:oracle:commerce_merchandising:11.3.0
-
cpe:2.3:a:oracle:commerce_merchandising:11.3.1
-
cpe:2.3:a:oracle:commerce_merchandising:11.3.2
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.1
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.2.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.3.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.4.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.2.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1
-
cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.0.8.0.0
-
cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.0.0.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3
-
cpe:2.3:a:oracle:siebel_ui_framework:-
-
cpe:2.3:a:oracle:siebel_ui_framework:16.0
-
cpe:2.3:a:oracle:siebel_ui_framework:16.1
-
cpe:2.3:a:oracle:siebel_ui_framework:17.0
-
cpe:2.3:a:oracle:siebel_ui_framework:18.0
-
cpe:2.3:a:oracle:siebel_ui_framework:18.10
-
cpe:2.3:a:oracle:siebel_ui_framework:18.11
-
cpe:2.3:a:oracle:siebel_ui_framework:18.7
-
cpe:2.3:a:oracle:siebel_ui_framework:18.8
-
cpe:2.3:a:oracle:siebel_ui_framework:18.9
-
cpe:2.3:a:oracle:siebel_ui_framework:19.0
-
cpe:2.3:a:oracle:siebel_ui_framework:19.10
-
cpe:2.3:a:oracle:siebel_ui_framework:19.7
-
cpe:2.3:a:oracle:siebel_ui_framework:19.8
-
cpe:2.3:a:oracle:siebel_ui_framework:20.1
-
cpe:2.3:a:oracle:siebel_ui_framework:20.12
-
cpe:2.3:a:oracle:siebel_ui_framework:20.2
-
cpe:2.3:a:oracle:siebel_ui_framework:20.5
-
cpe:2.3:a:oracle:siebel_ui_framework:20.6
-
cpe:2.3:a:oracle:siebel_ui_framework:20.8
-
cpe:2.3:a:oracle:siebel_ui_framework:21.0
-
cpe:2.3:a:oracle:siebel_ui_framework:21.2
-
cpe:2.3:a:oracle:siebel_ui_framework:21.9
-
cpe:2.3:a:oracle:siebel_ui_framework:8.1.1
-
cpe:2.3:a:oracle:siebel_ui_framework:8.2.2
-
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0
-
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0