Bug 2156324 (CVE-2021-35065)

Summary: CVE-2021-35065 glob-parent: Regular Expression Denial of Service
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, agerstmayr, aileenc, alazarot, asoldano, balejosg, bbaranow, bbuckingham, bcoca, bcourt, bdettelb, bmaxwell, boliveir, brian.stansberry, btotty, cdewolf, chazlett, cluster-maint, darran.lofthouse, davidn, dcadzow, dfreiber, dkenigsb, dkreling, dosoudil, dymurray, ehelms, ellin, emingora, epacific, fdeutsch, fjuma, fmongiar, fmuellner, fzatlouk, gjospin, gmalinko, gparvin, grafana-maint, gzaronik, hhorak, ibek, ibolton, idevat, ivassile, iweiss, janstey, jburrell, jcammara, jcantril, jhardy, jhorak, jkurik, jmatthew, jmontleo, jneedle, jnethert, jobarker, jorton, jpavlik, jpoth, jrokos, jshaughn, jsherril, jstastny, jwendell, jwon, klember, kshier, kverlaen, lgao, lzap, mabashia, mhulan, mlisik, mnovotny, mokumar, mosmerov, mpitt, mpospisi, msochure, msvehla, mwringe, myarboro, nathans, nboldt, njean, nmoumoul, nodejs-maint, nwallace, ocs-bugs, omular, orabin, oramraz, osapryki, oskutka, owatkins, pahickey, pcreech, pdelbell, pdrozd, peholase, periklis, pjindal, pmackay, pskopek, rcernich, rchan, rgarg, rguimara, rogbas, rrajasek, rstancel, scorneli, scox, sfowler, shbose, simaishi, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, sthorger, stransky, tcunning, teagle, tfister, thrcka, tojeline, tom.jenkinson, twalsh, ubhargav, vkumar, yfang, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glob-parent 6.0.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-12 15:09:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2156636, 2156444, 2156445, 2156446, 2156447, 2156448, 2156449, 2156450, 2156451, 2156452, 2156453, 2156454, 2156455, 2156456, 2156457, 2156462, 2156637, 2156638, 2156639, 2156640, 2156641, 2156642, 2156643, 2156644, 2156645, 2156646, 2156647, 2156648, 2156649, 2156650, 2156651, 2156652, 2156653, 2156654, 2156655, 2156656, 2156657, 2156658, 2156659, 2156660, 2175829, 2175830, 2175831, 2175832, 2178079, 2178080, 2178081, 2178082, 2178083, 2178084, 2178085, 2178144, 2178145, 2178146    
Bug Blocks: 2156325    

Description Avinash Hanwate 2022-12-26 12:21:37 UTC 
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.

https://github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339
https://github.com/gulpjs/glob-parent/pull/49
https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294
Comment 4 Avinash Hanwate 2022-12-28 04:10:37 UTC 
Created cockatrice tracking bugs for this issue:

Affects: fedora-36 [bug 2156638]


Created gnome-shell-extension-material-shell tracking bugs for this issue:

Affects: fedora-36 [bug 2156639]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-36 [bug 2156640]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2156636]


Created grafana tracking bugs for this issue:

Affects: fedora-36 [bug 2156641]


Created llhttp tracking bugs for this issue:

Affects: fedora-37 [bug 2156650]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-36 [bug 2156642]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-36 [bug 2156643]


Created nodejs-diagnostic-language-server tracking bugs for this issue:

Affects: fedora-36 [bug 2156644]
Affects: fedora-37 [bug 2156651]


Created nodejs-nodemon tracking bugs for this issue:

Affects: fedora-36 [bug 2156645]


Created pcs tracking bugs for this issue:

Affects: fedora-36 [bug 2156646]
Affects: fedora-37 [bug 2156652]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-37 [bug 2156653]


Created seamonkey tracking bugs for this issue:

Affects: epel-8 [bug 2156637]
Affects: fedora-36 [bug 2156647]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-36 [bug 2156648]
Affects: fedora-37 [bug 2156654]


Created zuul tracking bugs for this issue:

Affects: fedora-36 [bug 2156649]
Comment 20 errata-xmlrpc 2023-02-06 19:39:45 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612
Comment 22 errata-xmlrpc 2023-02-09 14:01:11 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0634 https://access.redhat.com/errata/RHSA-2023:0634
Comment 23 Product Security DevOps Team 2023-02-12 15:09:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-35065
Comment 24 errata-xmlrpc 2023-02-28 00:50:45 UTC 
This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934
Comment 25 errata-xmlrpc 2023-03-01 21:44:05 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
Comment 26 errata-xmlrpc 2023-03-01 21:46:32 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
Comment 27 errata-xmlrpc 2023-03-01 21:49:02 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
Comment 28 errata-xmlrpc 2023-03-01 21:50:03 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
Comment 29 errata-xmlrpc 2023-03-01 22:00:07 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
Comment 31 errata-xmlrpc 2023-03-30 12:35:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
Comment 32 errata-xmlrpc 2023-04-04 09:48:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
Comment 33 errata-xmlrpc 2023-04-04 09:48:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1583 https://access.redhat.com/errata/RHSA-2023:1583
Comment 34 errata-xmlrpc 2023-04-12 14:58:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Comment 35 errata-xmlrpc 2023-04-12 14:58:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743
Comment 36 errata-xmlrpc 2023-05-09 11:46:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654