Bug 2183108 (CVE-2023-26117)

Summary: CVE-2023-26117 angularjs: Regular expression denial of service via the $resource service
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, amctagga, aoconnor, asoldano, bbaranow, bdettelb, bmaxwell, bniver, boliveir, brian.stansberry, caswilli, cdewolf, chazlett, darran.lofthouse, dkreling, doconnor, dosoudil, drichtar, eglynn, erack, fjuma, flucifre, fmuellner, fzatlouk, gblomqui, gmalinko, gmeno, gotiwari, grafana-maint, istudens, ivassile, iweiss, janstey, jhorak, jjoyce, jkoops, jkurik, jschluet, jwendell, kaycoth, lchilton, lgao, lhh, lsvaty, mabashia, manissin, mbenjamin, mburns, mgarciac, mhackett, mosmerov, msochure, msvehla, muagarwa, mvyas, nathans, nwallace, omajid, pdelbell, pdrozd, peholase, pesilva, pgrist, pjindal, pmackay, pskopek, rcernich, rhos-maint, rmartinc, rowaters, rstancel, rstepani, sfeifer, smaestri, smcdonal, sostapov, spower, sthorger, stransky, teagle, tom.jenkinson, tpopela, twalsh, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in AngularJS, where it is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) issue in the $resource service. By providing specially-crafted regex input, a remote attacker could cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2184355, 2184356, 2184357, 2184358, 2184359, 2208175, 2208177, 2208178, 2208179, 2208180, 2208182, 2208189, 2208191, 2211150, 2211151, 2211152, 2211153, 2211154, 2211156, 2211157, 2211158, 2211159, 2211160, 2211161, 2211162, 2211163, 2211164, 2211165    
Bug Blocks: 2183111    

Description Pedro Sampaio 2023-03-30 12:18:17 UTC 
angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

References:

https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
Comment 4 Avinash Hanwate 2023-05-18 08:41:38 UTC 
Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 2208175]


Created icecat tracking bugs for this issue:

Affects: fedora-all [bug 2208177]


Created mozjs102 tracking bugs for this issue:

Affects: fedora-all [bug 2208178]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2208179]


Created qpid-dispatch tracking bugs for this issue:

Affects: openstack-rdo [bug 2208182]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 2208180]