A flaw was found in sshpk versions before 1.14.1. The regular expressions used for parsing OpenSSH-format public keys in sshpk are resulting in exponential increases in runtime when parsing maliciously constructed inputs.
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Red Hat Quay includes sshpk as a dependency of protractor which is only used during a build. The sshpk dependency is not used at runtime therefore this vulnerability has a low impact for Red Hat Quay.