Bug 1945459 (CVE-2020-28469)
| Summary: | CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, anpicker, aos-bugs, aturgema, bdettelb, bmontgom, dblechte, dfediuck, eedri, eparis, erooth, gghezzo, gparvin, hhorak, jburrell, jhadvig, jokerman, jorton, jramanat, jsmith.fedora, jweiser, jwendell, kakkoyun, kconner, lcosic, mgoldboi, michal.skrivanek, mpoole, mwringe, nodejs-maint, nodejs-sig, nstielau, pkrupa, ploffay, rcernich, sbonazzo, sgratch, sherold, sponnaga, stcannon, surbania, thee, thrcka, tomckay, twalsh, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-glob-parent 5.1.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-glob-parent. The enclosure regex used to check for glob enclosures containing backslashes is vulnerable to Regular Expression Denial of Service attacks. This flaw allows an attacker to cause a denial of service if they can supply a malicious string to the glob-parent function. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-04 20:33:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1951624, 1945464, 1946321, 1946322, 1946323, 1946324, 1946325, 1946326, 1946327, 1946328, 1946329, 1946330, 1946331, 1946332, 1948025, 1948026, 1948027, 1948028, 1948029, 1948030, 1948031, 1948333, 1948334, 1948335, 1948336, 1972657, 1972658, 1972659, 1989904, 1989905, 2028130, 2028131, 2029479, 2029527, 2124233 | ||
| Bug Blocks: | 1945460 | ||
|
Description
Jason Shepherd
2021-04-01 01:08:44 UTC
External References: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 Upstream Commit: https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366 Created nodejs-glob-parent tracking bugs for this issue: Affects: fedora-all [bug 1945464] This issues affects the version of glob-parent bundled with the nodejs-nodemon packages in Red Ha Software Collections and Red Hat Enterprise Linux 8. However, there does not seem to be any practical exposure of the issue to untrusted inputs via nodemon, nodemon only uses glob-parent to process paths to directories it is configured to watch. I.e. the input passed to glob-parent comes form nodemon's configuration file. Statement: While some components do package a vulnerable version of glob-parent, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products: - OpenShift Container Platform (OCP) - OpenShift ServiceMesh (OSSM) - Red Hat Advanced Cluster Management for Kubernetes (RHACM) This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:1499 https://access.redhat.com/errata/RHSA-2021:1499 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28469 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:4626 https://access.redhat.com/errata/RHSA-2021:4626 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595 |