Bug 2167268 (CVE-2018-25079)

Summary: CVE-2018-25079 is-url: inefficient regular expression complexity
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the is-url package. The manipulation leads to inefficient regular expression complexity.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2167269, 2167289    
Bug Blocks: 2167257    

Description Avinash Hanwate 2023-02-06 05:29:07 UTC 
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3 is able to address this issue. The name of the patch is 149550935c63a98c11f27f694a7c4a9479e53794. It is recommended to upgrade the affected component. VDB-220058 is the identifier assigned to this vulnerability.

https://github.com/segmentio/is-url/commit/149550935c63a98c11f27f694a7c4a9479e53794
https://github.com/segmentio/is-url/releases/tag/v1.2.3
https://vuldb.com/?ctiid.220058
https://vuldb.com/?id.220058
https://github.com/segmentio/is-url/pull/18
Comment 1 Avinash Hanwate 2023-02-06 05:30:17 UTC 
Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2167269]
Comment 2 Avinash Hanwate 2023-02-06 06:27:24 UTC 
Created yarnpkg tracking bugs for this issue:

Affects: epel-8 [bug 2167289]