Bug 1892430 (CVE-2020-7754) - CVE-2020-7754 nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS
Summary: CVE-2020-7754 nodejs-npm-user-validate: improper input validation when valida...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-7754
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1892431 1892432 1893983 1893984 1893985 1893986 1893987 1893988 1894337 1916390 1916396 1916459 1917858 1917861 1917865
Blocks: 1892433
TreeView+ depends on / blocked
 
Reported: 2020-10-28 18:32 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 18:59 UTC (History)
16 users (show)

Fixed In Version: npm-user-validate 1.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-04 20:42:15 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0421 0 None None None 2021-02-04 17:18:05 UTC
Red Hat Product Errata RHSA-2021:0485 0 None None None 2021-02-11 13:35:21 UTC
Red Hat Product Errata RHSA-2021:0521 0 None None None 2021-02-15 18:26:06 UTC
Red Hat Product Errata RHSA-2021:0548 0 None None None 2021-02-16 14:31:45 UTC
Red Hat Product Errata RHSA-2021:0549 0 None None None 2021-02-16 14:32:37 UTC
Red Hat Product Errata RHSA-2021:0551 0 None None None 2021-02-16 14:33:34 UTC

Description Guilherme de Almeida Suckevicz 2020-10-28 18:32:18 UTC
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.

Reference:
https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p

Upstream patch:
https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e

Comment 1 Guilherme de Almeida Suckevicz 2020-10-28 18:32:43 UTC
Created nodejs-npm-user-validate tracking bugs for this issue:

Affects: epel-all [bug 1892432]
Affects: fedora-all [bug 1892431]

Comment 6 Mark Cooper 2020-11-04 05:03:16 UTC
External References:

https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p

Comment 7 Mark Cooper 2020-11-04 05:56:08 UTC
Also added in code ready to the task as that is normally attached to npm flaws, which has this vulnerable library (one of the primary uses of it).

Comment 8 Mark Cooper 2020-11-06 00:09:07 UTC
Statement:

In Red Hat Enterprise Linux 8 and Software Collections, `npm-user-validate` is used exclusively for `npm`. As a result, this vulnerability is considered Low in such a context.

In OpenShift Container Platform (OCP) 3.11 and 4.4 the kibana package has been marked Low (similar to RHEL8) as it is primarily used for npm and is protected via OpenShift OAuth. Additionally, whilst OCP 4.4 does deliver the kibana package, due to the code changing to container first content, it has been marked as wontfix at this time and may be fixed in a future release. 

Additionally, the openshift4/ose-logging-kibana6 container is not represented on the CVE page as it gets npm from the Red Hat Software Collections and as such the ose-logging-kibana6 container will be updated when the rh-nodejs10-nodejs package is.

Comment 9 errata-xmlrpc 2021-02-04 17:18:04 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0421 https://access.redhat.com/errata/RHSA-2021:0421

Comment 10 Product Security DevOps Team 2021-02-04 20:42:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7754

Comment 11 errata-xmlrpc 2021-02-11 13:35:20 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0485 https://access.redhat.com/errata/RHSA-2021:0485

Comment 12 errata-xmlrpc 2021-02-15 18:26:04 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521

Comment 13 errata-xmlrpc 2021-02-16 14:31:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548

Comment 14 errata-xmlrpc 2021-02-16 14:32:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0549 https://access.redhat.com/errata/RHSA-2021:0549

Comment 15 errata-xmlrpc 2021-02-16 14:33:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0551 https://access.redhat.com/errata/RHSA-2021:0551


Note You need to log in before you can comment on or make changes to this bug.