Bug 2280601 (CVE-2024-4067)
| Summary: | CVE-2024-4067 micromatch: vulnerable to Regular Expression Denial of Service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abarbaro, abrianik, adamevin, adupliak, akostadi, alcohan, amasferr, amctagga, anjoseph, anthomas, aprice, aschwart, asoldano, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, boliveir, brasmith, brian.stansberry, brking, caswilli, cbartlet, cdewolf, chazlett, cmah, cmiranda, cochase, crizzo, danken, darran.lofthouse, dfreiber, dhanak, dkenigsb, dkreling, dkuc, dmayorov, dnakabaa, doconnor, dosoudil, dranck, drichtar, drosa, drow, dsimansk, dymurray, eaguilar, ebaron, ehelms, epacific, eric.wittmann, fdeutsch, fjansen, fjuma, ggainey, ggrzybek, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jburrell, jcammara, jcantril, jchui, jdobes, jforrest, jgrulich, jhardy, jhe, jhorak, jkang, jkoehler, jkoops, jlledo, jmartisk, jmatthew, jmitchel, jmontleo, jneedle, jobarker, joehler, jolong, jpallich, jprabhak, jrokos, jsamir, jshaughn, jsherril, jtanner, juwatts, jvasik, jwendell, jwong, kaycoth, kegrant, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lchilton, lcouzens, lgao, lphiri, lzap, mabashia, manissin, matzew, mhulan, mmakovy, mnovotny, mosmerov, mpierce, mposolda, mskarbek, msochure, mstefank, msvehla, mulliken, mvyas, mwringe, nbecker, nboldt, nipatil, njean, nmoumoul, nwallace, oezr, orabin, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pbizzarr, pbraun, pcongius, pcreech, pdelbell, pdrozd, peholase, pesilva, pgaikwad, phoracek, pierdipi, pjindal, pmackay, pskopek, psrna, rblanco, rbobbitt, rcernich, rchan, rguimara, rhaigner, rhuss, rjohnson, rkubis, rmartinc, rojacob, rowaters, rstancel, rstepani, rtaniwa, saroy, sausingh, sbiarozk, sdawley, sfeifer, sfroberg, shvarugh, sidakwo, simaishi, sipoyare, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthirugn, sthorger, stirabos, tasato, teagle, tfister, thason, thavo, tjochec, tkral, tmalecek, tom.jenkinson, tpopela, twalsh, vkrizan, vkumar, vmugicag, vmuzikar, wtam, yguenane, ytale, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the NPM package `micromatch` where it is vulnerable to a regular expression denial of service (ReDoS). The issue occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will readily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2280765, 2280766, 2280764, 2280767, 2280768, 2280769, 2280770, 2280771, 2280772, 2280773, 2280774, 2280775, 2280776, 2280778, 2280779, 2280781, 2280782, 2280783, 2280784, 2280785, 2280786, 2280790, 2280791, 2280792, 2280794, 2281799 | ||
| Bug Blocks: | 2280602 | ||
|
Description
Rohit Keshri
2024-05-15 11:12:54 UTC
Created ansible tracking bugs for this issue: Affects: epel-all [bug 2280765] Affects: fedora-all [bug 2280769] Created breeze-icon-theme tracking bugs for this issue: Affects: fedora-all [bug 2280770] Created cachelib tracking bugs for this issue: Affects: fedora-all [bug 2280771] Created fbthrift tracking bugs for this issue: Affects: fedora-all [bug 2280772] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2280764] Affects: epel-all [bug 2280766] Created golang-github-task tracking bugs for this issue: Affects: fedora-all [bug 2280773] Created h3 tracking bugs for this issue: Affects: fedora-all [bug 2280774] Created mozjs78 tracking bugs for this issue: Affects: fedora-all [bug 2280775] Created nodejs-bash-language-server tracking bugs for this issue: Affects: fedora-all [bug 2280776] Created nodejs-diagnostic-language-server tracking bugs for this issue: Affects: fedora-all [bug 2280778] Created onnxruntime tracking bugs for this issue: Affects: fedora-all [bug 2280779] Created pgadmin4 tracking bugs for this issue: Affects: fedora-all [bug 2280781] Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 2280782] Created qt6-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2280783] Created rstudio tracking bugs for this issue: Affects: fedora-all [bug 2280784] Created seamonkey tracking bugs for this issue: Affects: epel-all [bug 2280767] Affects: fedora-all [bug 2280785] Created yarnpkg tracking bugs for this issue: Affects: epel-all [bug 2280768] Affects: fedora-all [bug 2280786] This issue has been addressed in the following products: Red Hat Satellite 6.16 for RHEL 8 Red Hat Satellite 6.16 for RHEL 9 Via RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.6 Via RHSA-2024:10775 https://access.redhat.com/errata/RHSA-2024:10775 |