Bug 1448380 (CVE-2017-18077) - CVE-2017-18077 nodejs-brace-expansion: Regular expression denial-of-service
Summary: CVE-2017-18077 nodejs-brace-expansion: Regular expression denial-of-service
Keywords:
Status: NEW
Alias: CVE-2017-18077
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1448381 1470126 1598176 1598177
Blocks: 1448382
TreeView+ depends on / blocked
 
Reported: 2017-05-05 10:13 UTC by Andrej Nemec
Modified: 2019-09-29 14:11 UTC (History)
32 users (show)

Fixed In Version: nodejs-brace-expansion 1.1.7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-05-05 10:13:21 UTC
A Regular expression denial-of-service vulnerability was found in nodejs-brace-expansion. Running a specially crafted command would cause the application to hang for long periods of time.

References:

https://snyk.io/vuln/npm:brace-expansion:20170302

Upstream bug:

https://github.com/juliangruber/brace-expansion/issues/33

Upstream patch:

https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3

Comment 1 Andrej Nemec 2017-05-05 10:14:02 UTC
Created nodejs-brace-expansion tracking bugs for this issue:

Affects: fedora-all [bug 1448381]


Note You need to log in before you can comment on or make changes to this bug.