The enclosure regex used to check for glob enclosures containing backslash is vulnerable to Regular Expression Denial of Service attacks. An attacker can use this flaw to cause a denial of service if they can supply a malicious string to the glob-parent function.
External References: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
Upstream Commit: https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366
Created nodejs-glob-parent tracking bugs for this issue: Affects: fedora-all [bug 1945464]
This issues affects the version of glob-parent bundled with the nodejs-nodemon packages in Red Ha Software Collections and Red Hat Enterprise Linux 8. However, there does not seem to be any practical exposure of the issue to untrusted inputs via nodemon, nodemon only uses glob-parent to process paths to directories it is configured to watch. I.e. the input passed to glob-parent comes form nodemon's configuration file.
Statement: While some components do package a vulnerable version of glob-parent, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products: - OpenShift Container Platform (OCP) - OpenShift ServiceMesh (OSSM) - Red Hat Advanced Cluster Management for Kubernetes (RHACM)
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:1499 https://access.redhat.com/errata/RHSA-2021:1499
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28469
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:4626 https://access.redhat.com/errata/RHSA-2021:4626
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595