Bug 2134872 (CVE-2022-37599)

Summary: CVE-2022-37599 loader-utils: regular expression denial of service in interpolateName.js
Product: [Other] Security Response Reporter: juneau
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abobrov, adudiak, adupliak, aileenc, alampare, alazarot, amctagga, anbehl, asoldano, aveerama, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, boliveir, brian.stansberry, caswilli, cdewolf, chazlett, cluster-maint, cwelton, darran.lofthouse, davidn, dcadzow, dffrench, dfreiber, dhanak, dkenigsb, dkreling, dkuc, dosoudil, drichtar, dymurray, eaguilar, ebaron, ehelms, ellin, emingora, epacific, eric.wittmann, fdeutsch, fdupont, fjansen, fjuma, fmuellner, fzatlouk, gjospin, gmalinko, gparvin, grafana-maint, gzaronik, ibek, ibolton, idevat, idm-ds-dev-bugs, ikanias, ivassile, iweiss, janstey, jary, jburrell, jcammara, jcantril, jhardy, jhorak, jkang, jkoehler, jkurik, jmatthew, jmontleo, jneedle, jobarker, jpallich, jrokos, jshaughn, jsherril, jwendell, jweng, jwong, kaycoth, klember, kshier, kverlaen, lbacciot, lgao, lpetrovi, lzap, mabashia, mhulan, micjohns, mlisik, mnovotny, mosmerov, mpitt, mpospisi, mresvani, msochure, msvehla, mwringe, myarboro, nathans, nboldt, ngough, njean, nmoumoul, nwallace, omular, orabin, oramraz, osapryki, owatkins, pahickey, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pjindal, pmackay, psegedy, pskopek, rcernich, rchan, release-test-team-automation, rgodfrey, rguimara, rjohnson, rogbas, rowaters, rrajasek, rravi, rstancel, saroy, scorneli, sfroberg, sgott, shbose, simaishi, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, sthirugn, sthorger, stransky, tcarlin, teagle, tfister, tohughes, tojeline, tom.jenkinson, tpopela, twalsh, ubhargav, vkrizan, vkumar, vmugicag, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: loader-utils 1.4.2, loader-utils 2.0.4, loader-utils 3.2.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the interpolateName function in interpolateName.js in the webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. This flaw can lead to a regular expression denial of service (ReDoS).
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2209311, 2209323, 2209326, 2134878, 2209312, 2209313, 2209314, 2209315, 2209316, 2209317, 2209322, 2209324, 2209325, 2210672, 2210673, 2210674, 2210675, 2210676, 2210677, 2210678, 2210679    
Bug Blocks: 2134710    

Description juneau 2022-10-14 14:01:44 UTC
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

loader-utils prior to version 3 is deprecated and no longer supported

External Reference:
https://github.com/webpack/loader-utils/issues/211

Comment 10 Avinash Hanwate 2023-05-23 13:30:30 UTC
Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2209313]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2209311]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2209314]


Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 2209315]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2209312]
Affects: fedora-all [bug 2209316]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2209317]

Comment 18 errata-xmlrpc 2023-09-05 18:37:09 UTC
This issue has been addressed in the following products:

  RHPAM 7.13.4 async

Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983