Bug 1998236 (CVE-2021-23406)

Summary: CVE-2021-23406 nodejs-pac-resolver: remote code execution when used with untrusted input due to unsafe PAC file handling
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gparvin, pahickey, stcannon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pac-resolver 5.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-pac-resolver. A remote code execution can occur with untrusted input, due to unsafe PAC file handling. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1999096, 1999098, 1999099, 1999100    
Bug Blocks: 1998237    

Description Guilherme de Almeida Suckevicz 2021-08-26 16:37:10 UTC 
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.

References:
https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857

Upstream patches:
https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e
https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5