Bug 1956818 (CVE-2021-23343)
| Summary: | CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | alazarot, alegrand, amctagga, anharris, anpicker, anstephe, aos-bugs, aturgema, bcoca, bdettelb, bmontgom, bniver, chousekn, cmeyers, davidn, dblechte, dfediuck, eedri, emingora, eparis, erooth, etirelli, flucifre, gblomqui, gghezzo, gmeno, gparvin, hhorak, hvyas, ibek, jburrell, jcammara, jhadvig, jhardy, jobarker, jokerman, jorton, jramanat, jrokos, jshaughn, jsmith.fedora, jstastny, jweiser, jwendell, kakkoyun, kaycoth, kconner, krathod, kverlaen, lcosic, mabashia, mbenjamin, mgoldboi, mhackett, michal.skrivanek, mnovotny, nodejs-maint, notting, nstielau, osapryki, pjindal, pkrupa, rcernich, relrod, rguimara, rpetrell, rrajasek, sbonazzo, scorneli, sd-operator-metering, sdoran, sgratch, sherold, smcdonal, sostapov, spasquie, sponnaga, stcannon, surbania, thee, tkuratom, tomckay, twalsh, tzimanyi, vereddy, vmugicag, yturgema, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | path-parse 1.0.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-path-parse. All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-22 15:54:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1961974, 1962547, 1956819, 1958057, 1958058, 1958059, 1958060, 1958061, 1958062, 1958063, 1958064, 1958065, 1961577, 1961578, 1961579, 1961580, 1962566, 1962567, 1965700, 1965701, 1965702, 1965703, 1965704, 1965705, 1965706, 1965707, 1965708, 1966762, 1986742, 1986743, 1986744, 1986745, 1989902, 1989903, 1994025, 1994026, 1994027, 1994028 | ||
| Bug Blocks: | 1956821 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-05-04 13:29:38 UTC
Created nodejs-path-parse tracking bugs for this issue: Affects: fedora-all [bug 1956819] Analysis is complete for AAP 1.2 and as a result, I found that none of the AAP components do use the concerned vulnerable functions i.e. getAnnotationURL() and loadAnnotation(). Hence, marking AAP as "Not Affected" . Correcting the vulnerable functions : splitDeviceRe, splitTailRe and splitPathRe. None of these are used by AAP 1.2 and its components. Statement: In Red Had Quay , whilst a vulnerable version of `path-parse` is included in the quay-rhel8 container it is a development dependency only, hence the impact by this vulnerability is low. Since only the current version of ServiceMesh 2.0.x is supported for low and moderate impact vulnerabilities, the ServiceMesh 1.1.x components have been marked as OOSS. This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23343 Updated the published date to match the public date from Snyk instead of the disclose date. Thanks @btarraso This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666 This issue has been addressed in the following products: RHACS-3.67-RHEL-8 Via RHSA-2021:4902 https://access.redhat.com/errata/RHSA-2021:4902 |