Bug 1956818 (CVE-2021-23343) - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
Summary: CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and sp...
Keywords:
Status: NEW
Alias: CVE-2021-23343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1956819 1958057 1958058 1958059 1958060 1958061 1958062 1958063 1958064 1958065
Blocks: 1956821
TreeView+ depends on / blocked
 
Reported: 2021-05-04 13:29 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-05-17 07:52 UTC (History)
54 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-05-04 13:29:38 UTC
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

References:
https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067
https://github.com/jbgutierrez/path-parse/issues/8

Comment 1 Guilherme de Almeida Suckevicz 2021-05-04 13:30:55 UTC
Created nodejs-path-parse tracking bugs for this issue:

Affects: fedora-all [bug 1956819]

Comment 3 Tapas Jena 2021-05-10 19:01:54 UTC
Analysis is complete for AAP 1.2 and as a result, I found that none of the AAP components do use the concerned vulnerable functions i.e. getAnnotationURL() and loadAnnotation(). Hence,  marking AAP as "Not Affected" .

Comment 4 Tapas Jena 2021-05-10 19:04:19 UTC
Correcting the vulnerable functions : splitDeviceRe, splitTailRe and splitPathRe. None of these are used by AAP 1.2 and its components.

Comment 7 Przemyslaw Roguski 2021-05-11 18:05:56 UTC
Statement:

In Red Had Quay , whilst a vulnerable version of `path-parse` is included in the quay-rhel8 container it is a development dependency only, hence the impact by this vulnerability is low.


Note You need to log in before you can comment on or make changes to this bug.