All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. References: https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067 https://github.com/jbgutierrez/path-parse/issues/8
Created nodejs-path-parse tracking bugs for this issue: Affects: fedora-all [bug 1956819]
Analysis is complete for AAP 1.2 and as a result, I found that none of the AAP components do use the concerned vulnerable functions i.e. getAnnotationURL() and loadAnnotation(). Hence, marking AAP as "Not Affected" .
Correcting the vulnerable functions : splitDeviceRe, splitTailRe and splitPathRe. None of these are used by AAP 1.2 and its components.
Statement: In Red Had Quay , whilst a vulnerable version of `path-parse` is included in the quay-rhel8 container it is a development dependency only, hence the impact by this vulnerability is low.
Since only the current version of ServiceMesh 2.0.x is supported for low and moderate impact vulnerabilities, the ServiceMesh 1.1.x components have been marked as OOSS.
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23343
Updated the published date to match the public date from Snyk instead of the disclose date. Thanks @btarraso
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666
This issue has been addressed in the following products: RHACS-3.67-RHEL-8 Via RHSA-2021:4902 https://access.redhat.com/errata/RHSA-2021:4902