PowSyBl DataSource Polynomial Regular Expression Denial-of-Service Vulnerability

A polynomial Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the PowSyBl framework's DataSource mechanism, prior to version 6.7.2. This vulnerability allows a malicious actor to cause significant CPU consumption through regex backtracking, even with polynomial patterns. The issue arises when the 'listNames(String regex)' method is called with an unvalidated user-supplied regular expression, which is then evaluated against a collection of file-like resource names. If an attacker can control both the regex input and the resource names, they can exploit the vulnerability, leading to degraded performance and availability, particularly in multi-tenant environments.

Impact

Exploitation of this vulnerability can cause substantial CPU usage due to regex backtracking, disrupting application performance and availability, especially for other users in a multi-tenant environment.

Reproduction

To reproduce this vulnerability, call the 'listNames(String regex)' method on a DataSource that points to an archive or directory with filenames that can be influenced by an untrusted user. Use a regex pattern that exploits the backtracking behavior, such as one that matches long filenames almost perfectly, causing the regex engine to waste time on backtracking.

Remediation

Users can upgrade to PowSyBl version 6.7.2 or later to address this vulnerability.