Bug 2254559 (CVE-2023-48631)

Summary: CVE-2023-48631 css-tools: regular expression denial of service (ReDoS) when parsing CSS
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, aazores, adamevin, adudiak, adupliak, amctagga, aprice, asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, caswilli, cdewolf, chazlett, darran.lofthouse, dfreiber, dkenigsb, dkreling, dosoudil, drichtar, drow, eaguilar, ebaron, epacific, fdeutsch, fjuma, ivassile, iweiss, jburrell, jcammara, jchui, jhardy, jkang, jkoehler, jneedle, jobarker, jpallich, jsherril, kaycoth, kshier, ktsao, lgao, mabashia, mnovotny, mosmerov, mpierce, msochure, mstefank, msvehla, mulliken, mwringe, nboldt, nwallace, oezr, oramraz, pajung, pdrozd, peholase, pjindal, pmackay, pskopek, rguimara, rjohnson, rowaters, rstancel, rtaniwa, saroy, sfroberg, simaishi, smaestri, smcdonal, smullick, stcannon, sthirugn, sthorger, teagle, tfister, tkral, tom.jenkinson, vkrizan, vkumar, vmugicag, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: css-tools 4.3.2 Doc Type: If docs needed, set a value
Doc Text:
A Regular Expression Denial of Service (ReDoS) vulnerability was found in Adobe's css-tools when parsing CSS. This issue occurs due to improper input validation and may allow an attacker to use a carefully crafted input string to cause a denial of service, especially when attempting to parse CSS.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2254570, 2254720    
Bug Blocks: 2254569    

Description TEJ RATHI 2023-12-14 14:31:56 UTC 
@adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2
Comment 12 errata-xmlrpc 2024-05-23 06:39:53 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316
Comment 13 errata-xmlrpc 2024-06-13 11:38:35 UTC 
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2024:3919 https://access.redhat.com/errata/RHSA-2024:3919
Comment 14 errata-xmlrpc 2024-06-20 00:35:49 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989