Bug 2241149 (CVE-2023-43646)

Summary: CVE-2023-43646 get-func-name: ReDoS in chai module
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dfreiber, dkreling, dosoudil, fjuma, ivassile, iweiss, jburrell, jshaughn, jwendell, lgao, mosmerov, msochure, mstefank, msvehla, nwallace, owatkins, pjindal, pmackay, rcernich, rogbas, rstancel, sdawley, smaestri, tom.jenkinson, twalsh, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: get-func-name 2.0.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the get-func-name package in the chai module. Affected versions of this package are vulnerable to Regular expression denial of service (ReDoS) attacks, affecting system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2241150, 2241151    
Bug Blocks: 2241152    

Description TEJ RATHI 2023-09-28 09:18:07 UTC 
get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit `f934b228b` which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
Comment 4 Chess Hazlett 2023-09-28 19:38:31 UTC 
JDG-7 is in ELS-1 and OOSS for importants. Closing WONTFIX.
Comment 6 errata-xmlrpc 2024-07-17 13:09:50 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591