Bug 1926866 (CVE-2021-21306)

Summary: CVE-2021-21306 nodejs-marked: Regular expression denial of service
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anpicker, bmontgom, eparis, erooth, jburrell, jokerman, jsmith.fedora, jwendell, kaycoth, lcosic, nodejs-sig, nstielau, rcernich, rhel8-maint, sponnaga, stuart, surbania, tchollingsworth, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-marked 2.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 08:47:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1926870, 1926871, 1926872, 1927209    
Bug Blocks: 1926874    

Description Pedro Sampaio 2021-02-09 15:19:03 UTC 
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

References:

https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd
https://github.com/markedjs/marked/issues/1927
https://github.com/markedjs/marked/pull/1864
https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96
https://www.npmjs.com/package/marked
Comment 1 Pedro Sampaio 2021-02-09 15:27:51 UTC 
Created marked tracking bugs for this issue:

Affects: epel-all [bug 1926872]
Affects: fedora-all [bug 1926871]


Created nodejs-marked tracking bugs for this issue:

Affects: fedora-32 [bug 1926870]
Comment 5 Przemyslaw Roguski 2021-02-15 11:14:47 UTC 
Affected versions >=1.1.2 and <2.0.0,
see: https://github.com/markedjs/marked/issues/1927#issuecomment-773728733