The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). Reference: https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599 Upstream patch: https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18
External References: https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
Statement: Red Hat OpenShift Container Platform 4 delivers the kibana package where the ua-parser-js library is bundled, but during the update to container first (to openshift4/ose-logging-kibana6) the dependency was removed and hence kibana package is marked as wontfix. This may be fixed in the future. Red Hat Ceph Storage 3 and 4 ship a version of grafana that pulls a version of ua-parser-js (0.7.9) that uses the affected code.