Bug 2113943 (CVE-2022-2596)

Summary: CVE-2022-2596 node-fetch: Denial of Service in GitHub repository node-fetch
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: afm404, agerstmayr, aileenc, alazarot, amctagga, andrew.slice, anstephe, aoconnor, asoldano, aturgema, balejosg, bbaranow, bbuckingham, bcourt, bmaxwell, bmontgom, bniver, bodavis, brian.stansberry, btotty, caillon+fedoraproject, candlepin-bugs, cdewolf, chazlett, dan.cermak, darran.lofthouse, dbhole, dfediuck, dkreling, dmitry, dosoudil, dwhatley, dymurray, eclipseo, ehelms, emachado, emingora, eparis, erack, eric.wittmann, etamir, extras-orphan, fjuma, flucifre, fmuellner, fzatlouk, gecko-bugs-nobody, gmeno, go-sig, gparvin, grafana-maint, ibek, ibolton, i.ucar86, iweiss, janstey, jburrell, jcajka, jchecahi, jhadvig, jhorak, jistone, jkozol, jmatthew, jmontleo, jochrist, jpadman, jpavlik, jramanat, jrokos, jross, jshaughn, jsherril, jstastny, jwendell, jwon, kai-engert-fedora, kanderso, klember, krathod, kverlaen, ldap-maint, lemenkov, lgao, lvaleeva, lzap, mattias.ellert, mbenjamin, mgoodwin, mhackett, mhulan, michal.skrivanek, michel, mmccune, mnewsome, mnovotny, mokumar, mosmerov, mperina, mpitt, msochure, msvehla, mwringe, myarboro, nathans, nbecker, njean, nmoumoul, nobody, nstielau, nwallace, ocs-bugs, omajid, openstack-sig, orabin, osbuilders, oskutka, ovanders, pabelanger, pahickey, pantinor, pcreech, peholase, pjindal, ploffay, pmackay, rcernich, rchan, rgodfrey, rguimara, rrajasek, rstancel, rsvoboda, rwagner, sbonazzo, scorneli, sgratch, sipoyare, slucidi, smaestri, sostapov, sponnaga, sseago, stcannon, stransky, tom.jenkinson, tpopela, tstellar, twalsh, tzimanyi, user-cont-team+packit-fas, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the node-fetch package. Affected 3.x versions of the node-fetch package are vulnerable to denial of service attacks, affecting system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-02 09:33:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115194    
Bug Blocks: 2113805    

Description Avinash Hanwate 2022-08-02 11:37:52 UTC 
Denial of Service in GitHub repository node-fetch/node-fetch prior to 3.2.10.

https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d
https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7
Comment 2 Avinash Hanwate 2022-08-04 05:31:43 UTC 
Created dotnet6.0 tracking bugs for this issue:

Affects: fedora-all [bug 2115194]
Comment 4 Product Security DevOps Team 2022-09-02 09:33:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2596