Bug 1966615 (CVE-2021-33623)
| Summary: | CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, anpicker, aos-bugs, bcoca, bmontgom, chousekn, cmeyers, davidn, dblechte, dfediuck, eedri, eparis, erooth, gblomqui, gghezzo, gparvin, jburrell, jcammara, jhardy, jobarker, jokerman, jramanat, jsmith.fedora, jweiser, jwendell, kakkoyun, kaycoth, kconner, mabashia, mgoldboi, michal.skrivanek, nodejs-sig, notting, nstielau, osapryki, pkrupa, rcernich, relrod, rpetrell, sbonazzo, scorneli, sdoran, sgratch, sherold, smcdonal, spasquie, sponnaga, stcannon, thee, tkuratom, twalsh, vmugicag, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | trim-newlines 3.0.1, trim-newlines 4.0.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-trim-newlines. Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-06 01:07:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1970204, 1975320, 1966618, 1970052, 1970054, 1970055, 1971653, 1972725, 1972726, 1972727, 1972728, 1972729, 1972730, 1972731, 1972732, 1975642, 1975643 | ||
| Bug Blocks: | 1966616 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-06-01 14:05:52 UTC
Created nodejs-trim-newlines tracking bugs for this issue: Affects: fedora-33 [bug 1966618] Marking services affected/delegated. Affected package is present, but no evidence at this time that the affected method is in use. ossm-2 marked as affected/delegated, as spec file and yarn both report that trim-newlines is required both directly and indirectly. However, I can't find any usage of trim-newlines in the source code of grafana. Analysis is complete for Ansible Automation Platform. Though there is affected version trim-newlines package found in dependency list(prod-sec manifest), there is no usage of trim-newlines package or trimNewlinea() function with end() method found in the source code of any component of AAP 1.2. Moreover, as Ansible engineering team has confirmed that "they don't use the trim-newlines package and it's not in their dependency tree", I believe its not in actual use. Also, the below command has returned no output. # npm ls | grep "trim-newlines" Having said that, marking this as "Affected" -> "delegated". This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33623 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:5555 https://access.redhat.com/errata/RHSA-2022:5555 |