Bug 2280600 (CVE-2024-4068)

Summary: CVE-2024-4068 braces: fails to limit the number of characters it can handle
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abobrov, abrianik, abuckta, adamevin, adupliak, akostadi, alcohan, amasferr, amctagga, anjoseph, anthomas, aprice, aschwart, asoldano, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, boliveir, brasmith, brian.stansberry, brking, btarraso, caswilli, cbartlet, cdewolf, chazlett, cmah, cmiranda, cochase, crizzo, danken, darran.lofthouse, dfreiber, dhanak, dholler, dkenigsb, dkreling, dkuc, dmayorov, dnakabaa, doconnor, dosoudil, dranck, drichtar, drosa, drow, dsimansk, dward, dymurray, eaguilar, ebaron, ecerquei, ehelms, epacific, eric.wittmann, fdeutsch, fjansen, fjuma, ggainey, ggrzybek, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hhorak, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jburrell, jcammara, jcantril, jchui, jdobes, jforrest, jgrulich, jhardy, jhe, jhorak, jkang, jkoehler, jkoops, jlledo, jmartisk, jmatthew, jmitchel, jmontleo, jneedle, jobarker, joehler, jolong, jorton, jpallich, jprabhak, jrokos, jsamir, jshaughn, jsherril, jtanner, juwatts, jvasik, jwendell, jwong, kaycoth, kegrant, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lchilton, lcouzens, lgao, lphiri, lzap, mabashia, manissin, matzew, mhulan, mmakovy, mnovotny, mosmerov, mpierce, mposolda, mskarbek, msochure, mstefank, msvehla, mulliken, mvyas, mwringe, nbecker, nboldt, nipatil, njean, nmoumoul, nodejs-maint, nwallace, oblaut, oezr, orabin, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pbizzarr, pbraun, pcongius, pcreech, pdelbell, pdrozd, peholase, pesilva, pgaikwad, phoracek, pierdipi, pjindal, pmackay, pskopek, psrna, rblanco, rbobbitt, rcernich, rchan, rguimara, rhaigner, rhuss, rjohnson, rkubis, rmartinc, rojacob, rowaters, rstancel, rstepani, rtaniwa, saroy, sausingh, sbiarozk, sdawley, sfeifer, sfroberg, shvarugh, sidakwo, simaishi, sipoyare, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthirugn, sthorger, stirabos, tasato, teagle, tfister, thason, thavo, thrcka, tjochec, tkral, tmalecek, tom.jenkinson, tpopela, twalsh, vkrizan, vkumar, vmugicag, vmuzikar, wtam, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the NPM package `braces.` It fails to limit the number of characters it can handle, which could lead to memory exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, causing the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2280611, 2280612, 2280610, 2280613, 2280614, 2280615, 2280616, 2280617, 2280618, 2280619, 2280620, 2280621, 2280622, 2280623, 2280624, 2280625, 2280626, 2280627, 2280628, 2280629, 2280630, 2280631, 2280777, 2280780, 2280787, 2280788, 2280789, 2281796    
Bug Blocks: 2280602    

Description Rohit Keshri 2024-05-15 11:10:57 UTC 
The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308
https://github.com/micromatch/braces/issues/35
Comment 1 Rohit Keshri 2024-05-15 12:11:35 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 2280611]
Affects: fedora-all [bug 2280615]


Created breeze-icon-theme tracking bugs for this issue:

Affects: fedora-all [bug 2280616]


Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2280617]


Created fbthrift tracking bugs for this issue:

Affects: fedora-all [bug 2280618]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2280610]
Affects: epel-all [bug 2280612]


Created golang-github-task tracking bugs for this issue:

Affects: fedora-all [bug 2280619]


Created h3 tracking bugs for this issue:

Affects: fedora-all [bug 2280620]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2280621]


Created nodejs-bash-language-server tracking bugs for this issue:

Affects: fedora-all [bug 2280622]


Created nodejs-diagnostic-language-server tracking bugs for this issue:

Affects: fedora-all [bug 2280623]


Created nodejs-nodemon tracking bugs for this issue:

Affects: fedora-all [bug 2280624]


Created onnxruntime tracking bugs for this issue:

Affects: fedora-all [bug 2280625]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-all [bug 2280626]


Created phpMyAdmin tracking bugs for this issue:

Affects: fedora-all [bug 2280627]


Created qt6-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2280628]


Created rstudio tracking bugs for this issue:

Affects: fedora-all [bug 2280629]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2280613]
Affects: fedora-all [bug 2280630]


Created yarnpkg tracking bugs for this issue:

Affects: epel-all [bug 2280614]
Affects: fedora-all [bug 2280631]
Comment 11 Dan Yocum 2024-08-28 19:41:02 UTC 
bugzilla--  :(
Comment 13 errata-xmlrpc 2024-09-26 03:47:17 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164
Comment 14 errata-xmlrpc 2024-10-14 17:59:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:8077 https://access.redhat.com/errata/RHSA-2024:8077
Comment 15 errata-xmlrpc 2024-10-14 17:59:58 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:8076 https://access.redhat.com/errata/RHSA-2024:8076
Comment 16 errata-xmlrpc 2024-10-14 18:00:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:8075 https://access.redhat.com/errata/RHSA-2024:8075
Comment 17 errata-xmlrpc 2024-10-14 18:07:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:8080 https://access.redhat.com/errata/RHSA-2024:8080
Comment 18 Borja Tarraso 2024-11-08 15:33:10 UTC 
This issue has been solved in RHACM 2.10.4 via this public advisory https://access.redhat.com/errata/RHSA-2024:4464
Comment 19 Borja Tarraso 2024-11-08 15:35:27 UTC 
This issue has been solved in RHACM 2.9.4 via this public advisory https://access.redhat.com/errata/RHBA-2024:3593
Comment 20 Borja Tarraso 2024-11-08 15:52:00 UTC 
This issue has been solved in MCE 2.5.3 via this public advisory https://access.redhat.com/errata/RHBA-2024:2862
Comment 21 Borja Tarraso 2024-11-08 16:06:21 UTC 
This issue has been solved in MCE 2.4.5 via this public advisory https://access.redhat.com/errata/RHBA-2024:3555
Comment 22 errata-xmlrpc 2024-12-12 20:00:29 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:11023 https://access.redhat.com/errata/RHSA-2024:11023