The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl(). References: https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356 https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355 Fixed releases : hosted-git-info 3.0.8, hosted-git-info 2.8.9
Created nodejs-hosted-git-info tracking bugs for this issue: Affects: epel-7 [bug 1943210] Affects: fedora-all [bug 1943209]
Upstream fix: https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
openshift-enterprise-console-container: Hoisted in several places but these all lead back to dev dependencies, i.e. hosted-git-info->normalize-package-data->read-pkg->node-sass->devDependency or jest. Also grepped the container js for `shortcutMatch` and `defaultRepresentation` and not hits. So marking not affected. grafana components (OCP & OSSM); - "_project_#read-pkg#normalize-package-data" depends on it - Hoisted from "_project_#read-pkg#normalize-package-data#hosted-git-info" - Hoisted from "_project_#lerna#@lerna#create#npm-package-arg#hosted-git-info" - Hoisted from "_project_#lerna#@lerna#version#@lerna#conventional-commits#conventional-changelog-core#get-pkg-repo#hosted-git-info" Looking at read-pkg its still only hoisted from dev deps, like jest, lerna etc. Also ran the container and grepped the webpack bundled code - so not affected. Prometheus component (OCP & OSSM): => Found "hosted-git-info.5" info Reasons this module exists - "eslint-plugin-import#read-pkg-up#read-pkg#normalize-package-data" depends on it - Hoisted from "eslint-plugin-import#read-pkg-up#read-pkg#normalize-package-data#hosted-git-info" Which is hoisted from react-scripts - Specified in "devDependencies" - Hoisted from "react-scripts#eslint-plugin-import" Which react-script is a prod dep - so filed affected/delegated. Thanos is the same as prometheus, so affected/delegated.
For openshift-enterprise-console-container: actually correction, looks like it's hoisted also through patternfly-react so filing bug for it.
Statement: While some components do package a vulnerable version of hosted-git-info, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products: - OpenShift Container Platform (OCP) - OpenShift ServiceMesh (OSSM) - Red Hat Advanced Cluster Management for Kubernetes (RHACM) Specifically the following components: - The OCP hive-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release. Red Hat Ceph Storage (RHCS) 4 packages a version of nodejs-hosted-git-info which is vulnerable to this flaw in the grafana-container shipped with it. Red Hat Quay includes hosted-git-info as a dependency of karma-coverage which is only used at development time. The hosted-git-info library is not used at runtime so the impact is low for Red Hat Quay. [1] - https://access.redhat.com/solutions/5707561
This should be updated to note that version 2.8.9 of hosted-git-info is now unaffected. Dependabot fixed this issue in drift by bumping version. https://github.com/RedHatInsights/drift-frontend/pull/472
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23362
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2931 https://access.redhat.com/errata/RHSA-2021:2931
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2932 https://access.redhat.com/errata/RHSA-2021:2932
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3073 https://access.redhat.com/errata/RHSA-2021:3073
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3074 https://access.redhat.com/errata/RHSA-2021:3074
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638