Bug 1448380 (CVE-2017-18077) - CVE-2017-18077 nodejs-brace-expansion: Regular expression denial of service
Summary: CVE-2017-18077 nodejs-brace-expansion: Regular expression denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-18077
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1448381 1470126 1598176 1598177
Blocks: 1448382
TreeView+ depends on / blocked
 
Reported: 2017-05-05 10:13 UTC by Andrej Nemec
Modified: 2020-06-19 05:20 UTC (History)
32 users (show)

Fixed In Version: nodejs-brace-expansion 1.1.7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-19 05:20:21 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2625 None None None 2020-06-19 03:44:12 UTC

Description Andrej Nemec 2017-05-05 10:13:21 UTC
A Regular expression denial-of-service vulnerability was found in nodejs-brace-expansion. Running a specially crafted command would cause the application to hang for long periods of time.

References:

https://snyk.io/vuln/npm:brace-expansion:20170302

Upstream bug:

https://github.com/juliangruber/brace-expansion/issues/33

Upstream patch:

https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3

Comment 1 Andrej Nemec 2017-05-05 10:14:02 UTC
Created nodejs-brace-expansion tracking bugs for this issue:

Affects: fedora-all [bug 1448381]

Comment 8 errata-xmlrpc 2020-06-19 03:44:09 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625

Comment 9 Product Security DevOps Team 2020-06-19 05:20:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-18077


Note You need to log in before you can comment on or make changes to this bug.