Bug 2311171 (CVE-2024-45590)

Summary: CVE-2024-45590 body-parser: Denial of Service Vulnerability in body-parser
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aarif, aazores, abarbaro, abrianik, abuckta, adudiak, adupliak, akostadi, alcohan, amasferr, amctagga, anjoseph, anli, anpicker, aprice, asoldano, bbaranow, bdettelb, bmaxwell, brasmith, brian.stansberry, brking, caswilli, cbartlet, cdewolf, chazlett, cmah, cmiranda, cochase, danken, darran.lofthouse, dbosanac, dhanak, dholler, dkreling, dkuc, dmayorov, doconnor, dosoudil, dranck, drosa, dsimansk, dymurray, eaguilar, ebaron, eric.wittmann, fdeutsch, fjansen, fjuma, ggrzybek, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jcammara, jcantril, jchui, jforrest, jfula, jgrulich, jhe, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jowilson, jpallich, jprabhak, jreimann, jrokos, jsamir, jwendell, jwong, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lgao, lphiri, mabashia, manissin, matzew, mdessi, mjaros, mkleinhe, mmakovy, mnovotny, mosmerov, mpierce, mrizzi, msochure, msvehla, mulliken, mvyas, mwringe, nboldt, nipatil, njean, nwallace, nyancey, oezr, omaciel, ometelka, orabin, oramraz, owatkins, pahickey, pantinor, parichar, pbizzarr, pbraun, pcattana, pcongius, pdelbell, pesilva, pgaikwad, phoracek, pierdipi, pjindal, pmackay, psrna, ptisnovs, rcernich, rguimara, rhaigner, rhuss, rjohnson, rkubis, rojacob, rstancel, rstepani, rtaniwa, saroy, sausingh, sdawley, sfroberg, shvarugh, simaishi, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, stirabos, syedriko, tasato, teagle, tfister, thason, thavo, tjochec, tkral, tom.jenkinson, tsedmik, twalsh, wtam, wzheng, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2311257, 2311258, 2311261, 2311262, 2311263, 2311264, 2311265, 2311266, 2311267, 2311268, 2311269, 2311270, 2311271, 2311272, 2311273, 2311274, 2311275, 2311276, 2311277, 2311278, 2311279, 2311280, 2311281, 2311182, 2311183, 2311191, 2311196, 2311198, 2311204, 2311208, 2311211, 2311213, 2311217, 2311220, 2311223, 2311225, 2311227, 2311233, 2311239, 2311241, 2311244, 2311247, 2311250, 2311252, 2311259, 2311260    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-10 16:20:54 UTC 
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Comment 1 errata-xmlrpc 2024-10-07 09:25:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.6 for RHEL 8
  Red Hat OpenShift Service Mesh 2.6 for RHEL 9

Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
Comment 2 errata-xmlrpc 2024-10-07 09:26:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:7725 https://access.redhat.com/errata/RHSA-2024:7725
Comment 3 errata-xmlrpc 2024-10-22 01:07:02 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.7.0-RHEL-9

Via RHSA-2024:8014 https://access.redhat.com/errata/RHSA-2024:8014
Comment 4 errata-xmlrpc 2024-10-30 14:34:24 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
Comment 5 errata-xmlrpc 2024-11-13 18:01:04 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:9583 https://access.redhat.com/errata/RHSA-2024:9583
Comment 6 errata-xmlrpc 2024-11-22 01:07:19 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186
Comment 7 errata-xmlrpc 2024-12-10 01:37:30 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906
Comment 9 errata-xmlrpc 2025-02-05 10:49:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875
Comment 17 errata-xmlrpc 2025-06-04 01:58:51 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:8479 https://access.redhat.com/errata/RHSA-2025:8479
Comment 18 errata-xmlrpc 2025-06-04 20:12:04 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 19 errata-xmlrpc 2025-06-04 22:59:14 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551