Bug 2183110 (CVE-2023-26118)

Summary: CVE-2023-26118 angularjs: Regular Expression Denial of Service via the <input type="url"> element
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abobrov, aileenc, amctagga, aoconnor, asoldano, bbaranow, bdettelb, bmaxwell, bniver, boliveir, brian.stansberry, caswilli, cdewolf, chazlett, darran.lofthouse, dkreling, doconnor, dosoudil, drichtar, eglynn, erack, fjuma, flucifre, fmuellner, fzatlouk, gblomqui, gmalinko, gmeno, gotiwari, grafana-maint, istudens, ivassile, iweiss, janstey, jhorak, jjoyce, jkoops, jkurik, jschluet, jwendell, kaycoth, lchilton, lgao, lhh, lsvaty, mabashia, mbenjamin, mburns, mgarciac, mhackett, mosmerov, mrehak, msochure, msvehla, mvyas, nathans, nwallace, pdelbell, pdrozd, peholase, pesilva, pgrist, pjindal, pmackay, pskopek, rcernich, rhos-maint, rmartinc, rowaters, rstancel, rstepani, sfeifer, smaestri, smcdonal, sostapov, spower, sthorger, stransky, teagle, tom.jenkinson, tpopela, twalsh, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in AngularJS, where it is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the input[url] functionality. By providing specially-crafted regex input, a remote attacker can cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2207892, 2207893, 2208194, 2208195, 2208196, 2208197, 2208198, 2208199, 2208200, 2208201, 2211108, 2211110, 2211111, 2211113, 2211114, 2211115, 2211117, 2211118, 2211120, 2211121, 2211123, 2211124, 2211125, 2211126, 2211127    
Bug Blocks: 2183111    

Description Pedro Sampaio 2023-03-30 12:21:51 UTC 
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

References:

https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
Comment 3 Avinash Hanwate 2023-05-18 08:50:32 UTC 
Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 2208194]


Created icecat tracking bugs for this issue:

Affects: fedora-all [bug 2208195]


Created mozjs102 tracking bugs for this issue:

Affects: fedora-all [bug 2208196]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2208197]


Created qpid-dispatch tracking bugs for this issue:

Affects: openstack-rdo [bug 2208199]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 2208198]
Comment 7 Tomas Popela 2023-05-30 14:52:53 UTC 
@mrehak please don't open any bugs for RHEL 8 Firefox and Thunderbird Flatpaks as these were obsoleted by their RHEL 9 version at the time of RHEL 8.7.0 GA. I was assured several times that the templates/scripts that Product Security is using will be/were adapted, but still bugs are opened for these.