{"id":"CVE-2020-7760","details":"This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*","aliases":["GHSA-4gw3-8f77-f72c"],"modified":"2026-04-11T12:35:04.695666Z","published":"2020-10-30T11:15:12.633Z","related":["SNYK-JAVA-ORGAPACHEMARMOTTAWEBJARS-1024450","SNYK-JAVA-ORGWEBJARS-1024449","SNYK-JAVA-ORGWEBJARSBOWER-1024445","SNYK-JAVA-ORGWEBJARSBOWERGITHUBCODEMIRROR-1024448","SNYK-JAVA-ORGWEBJARSBOWERGITHUBCOMPONENTS-1024446","SNYK-JAVA-ORGWEBJARSNPM-1024447","SNYK-JS-CODEMIRROR-1016937"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"20.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"19c"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:enterprise_manager_express_user_interface:19c:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"21.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"11.2.9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"19.1.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:spatial_studio:*:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4789"},{"type":"FIX","url":"https://github.com/codemirror/CodeMirror/commit/55d0333907117c9231ffdf555ae8824705993bbb"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEMARMOTTAWEBJARS-1024450"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1024449"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1024445"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCODEMIRROR-1024448"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCOMPONENTS-1024446"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1024447"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/codemirror/codemirror5","events":[{"introduced":"0"},{"fixed":"264022ee4af4abca1c158944dc299a8faf8696d6"},{"fixed":"55d0333907117c9231ffdf555ae8824705993bbb"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"5.58.2"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:codemirror:codemirror:*:*:*:*:*:*:*:*"}}],"versions":["3.13.0","3.14.0","3.15.0","3.16.0","3.17.0","3.18.0","3.19.0","3.20.0","3.21.0","4.0.1","4.0.2","4.0.3","4.1.0","4.10.0","4.12.0","4.13.0","4.2.0","4.3.0","4.4.0","4.5.0","4.6.0","4.7.0","4.8.0","4.9.0","5.0.0","5.1.0","5.10.0","5.11.0","5.12.0","5.13.0","5.13.2","5.14.0","5.14.2","5.15.0","5.15.2","5.16.0","5.17.0","5.18.0","5.18.2","5.19.0","5.2.0","5.20.0","5.20.2","5.21.0","5.22.0","5.23.0","5.24.0","5.24.2","5.25.0","5.25.2","5.26.0","5.27.0","5.27.2","5.27.4","5.28.0","5.29.0","5.3.0","5.30.0","5.31.0","5.32.0","5.33.0","5.34.0","5.35.0","5.36.0","5.37.0","5.38.0","5.39.0","5.39.2","5.4.0","5.40.0","5.40.2","5.41.0","5.42.0","5.43.0","5.44.0","5.45.0","5.46.0","5.47.0","5.48.0","5.48.2","5.48.4","5.49.0","5.49.2","5.5.0","5.50.0","5.50.2","5.51.0","5.52.0","5.52.2","5.53.0","5.53.2","5.54.0","5.55.0","5.56.0","5.57.0","5.58.0","5.58.1","5.6.0","5.7.0","5.8.0","5.9.0","beta1","beta2","v2.0","v2.01","v2.02","v2.1","v2.11","v2.12","v2.13","v2.14","v2.15","v2.16","v2.17","v2.18","v2.2","v2.21","v2.22","v2.23","v2.24","v2.25","v2.3","v2.31","v2.32","v2.33","v3.0","v3.01","v3.0beta1","v3.0beta2","v3.0rc1","v3.0rc2","v3.1","v3.11","v3.12","v4_beta1","v4_beta2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7760.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}