Bug 2161901 (CVE-2022-25901)
| Summary: | CVE-2022-25901 cookiejar: Regular Expression Denial of Service (ReDoS) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ellin, erack, fmuellner, fzatlouk, gparvin, jhorak, klember, njean, owatkins, pahickey, rgarg, scorneli, shbose, stcannon, stransky, teagle, tpopela, ubhargav |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cookiejar 2.1.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A Regular Expression Denial of Service (ReDoS) vulnerability was found in cookiejar via the Cookie.parse function and other aspects of the API, which uses an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.regular expression.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2164317 | ||
| Bug Blocks: | 2161902 | ||
|
Description
Avinash Hanwate
2023-01-18 08:42:09 UTC
Created nodejs-cookiejar tracking bugs for this issue: Affects: epel-7 [bug 2164317] |