Bug 2134609 (CVE-2022-3517, PRISMA-2022-0039)
| Summary: | CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, agerstmayr, aileenc, alazarot, amackenz, amasferr, anbehl, aoconnor, asoldano, balejosg, bbaranow, bbuckingham, bcoca, bcourt, bdettelb, bmaxwell, bniver, bodavis, brian.stansberry, btotty, caswilli, cdewolf, chazlett, cluster-maint, darran.lofthouse, davidn, dcadzow, dffrench, dkenigsb, dkreling, dkuc, dosoudil, drieden, dwhatley, dymurray, ehelms, emachado, emartyny, emingora, epacific, eric.wittmann, etirelli, fdeutsch, fdupont, fjansen, fjuma, flucifre, fmuellner, fzatlouk, gjospin, gmalinko, gmeno, gparvin, grafana-maint, gzaronik, hhorak, ibek, ibolton, idevat, idm-ds-dev-bugs, ikanias, iweiss, janstey, jary, jburrell, jcajka, jcammara, jcantril, jchecahi, jhardy, jhorak, jkoehler, jkurik, jmatthew, jmontleo, jneedle, jobarker, jochrist, jorton, jpadman, jpavlik, jramanat, jrokos, jross, jshaughn, jsherril, jwendell, jwong, jwon, kaycoth, klember, kmalyjur, kshier, kverlaen, kyoshida, lgao, lzap, mabashia, mbenjamin, mhackett, mhulan, micjohns, mkudlej, mlisik, mmccune, mnewsome, mnovotny, mokumar, mosmerov, mpitt, mpospisi, mresvani, msochure, msvehla, muagarwa, mwringe, myarboro, nathans, nboldt, ngough, njean, nmoumoul, nodejs-maint, nwallace, ocs-bugs, omular, orabin, oramraz, osapryki, oskutka, pahickey, pantinor, pcreech, pdelbell, peholase, periklis, pjindal, pmackay, psegedy, rcernich, rchan, rgodfrey, rguimara, rrajasek, rravi, rstancel, ruby-maint, scorneli, simaishi, sipoyare, slucidi, smaestri, smcdonal, smullick, sostapov, sseago, stcannon, sthirugn, stransky, tcarlin, tfister, thrcka, tjochec, tohughes, tojeline, tom.jenkinson, tsasak, tstellar, twalsh, vereddy, vkrizan, vkumar, vmugicag, vondruch, yguenane, zsadeh, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-minimatch 3.0.5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-02-10 05:46:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2135441, 2135442, 2135443, 2135444, 2135445, 2136882, 2134945, 2135440, 2135446, 2135447, 2135448, 2135449, 2135450, 2135451, 2135452, 2135453, 2135454, 2135455, 2135456, 2135457, 2135458, 2135459, 2135460, 2135461, 2135462, 2135464, 2135465, 2135466, 2135467, 2135468, 2135469, 2135470, 2135471, 2135472, 2135473, 2135482, 2135483, 2135484, 2135485, 2135486, 2135487, 2135488, 2135489, 2135490, 2135491, 2135492, 2135493, 2135494, 2135495, 2135497, 2135499, 2135501, 2135502, 2135503, 2135504, 2135505, 2135506, 2135507, 2135508, 2135509, 2135518, 2135519, 2135520, 2135667, 2135668, 2135669, 2135670, 2135671, 2135672, 2135887, 2135888, 2135889, 2135890, 2135891, 2135892, 2135893, 2136816, 2136817, 2137247, 2137248, 2137745, 2142825, 2142826, 2142827, 2142828, 2142829, 2142830, 2142832, 2142833, 2142834, 2142835, 2142837, 2142839, 2142841, 2142842, 2142843, 2142844, 2142845, 2142846, 2151880, 2160552, 2212561 | ||
| Bug Blocks: | 2102890, 2134950 | ||
|
Description
Guilherme de Almeida Suckevicz
2022-10-13 18:07:59 UTC
Created breeze-icon-theme tracking bugs for this issue: Affects: epel-all [bug 2135441] Affects: fedora-all [bug 2135447] Created cockatrice tracking bugs for this issue: Affects: fedora-all [bug 2135448] Created couchdb tracking bugs for this issue: Affects: fedora-all [bug 2135449] Created fawkes tracking bugs for this issue: Affects: fedora-all [bug 2135450] Created gnome-shell-extension-material-shell tracking bugs for this issue: Affects: fedora-all [bug 2135451] Created golang-entgo-ent tracking bugs for this issue: Affects: fedora-all [bug 2135452] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2135442] Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2135453] Created librealsense tracking bugs for this issue: Affects: fedora-all [bug 2135454] Created mozjs68 tracking bugs for this issue: Affects: fedora-all [bug 2135455] Created mozjs78 tracking bugs for this issue: Affects: fedora-all [bug 2135456] Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 2135440] Created nodejs-bash-language-server tracking bugs for this issue: Affects: fedora-all [bug 2135457] Created nodejs-diagnostic-language-server tracking bugs for this issue: Affects: fedora-all [bug 2135458] Created nodejs-minimatch tracking bugs for this issue: Affects: epel-all [bug 2135443] Created nodejs-nodemon tracking bugs for this issue: Affects: fedora-all [bug 2135459] Created nodejs-tape tracking bugs for this issue: Affects: fedora-all [bug 2135460] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2135461] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2135444] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2135462] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2135464] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2135445] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2135465] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2135466] Created opencc tracking bugs for this issue: Affects: fedora-all [bug 2135467] Created perl-Code-TidyAll tracking bugs for this issue: Affects: fedora-all [bug 2135468] Created python-howdoi tracking bugs for this issue: Affects: fedora-all [bug 2135469] Created seamonkey tracking bugs for this issue: Affects: epel-all [bug 2135446] Affects: fedora-all [bug 2135470] Created tdlib tracking bugs for this issue: Affects: fedora-all [bug 2135471] Created yarnpkg tracking bugs for this issue: Affects: fedora-all [bug 2135472] Created zuul tracking bugs for this issue: Affects: fedora-all [bug 2135473] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8832 https://access.redhat.com/errata/RHSA-2022:8832 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:8833 https://access.redhat.com/errata/RHSA-2022:8833 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2022:9040 https://access.redhat.com/errata/RHSA-2022:9040 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321 This issue has been addressed in the following products: Migration Toolkit for Runtimes 1 on RHEL 8 Via RHSA-2023:0471 https://access.redhat.com/errata/RHSA-2023:0471 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8 Via RHSA-2023:0630 https://access.redhat.com/errata/RHSA-2023:0630 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3517 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743 This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742 |