The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. Reference: https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1
Created nodejs-trim-newlines tracking bugs for this issue: Affects: fedora-33 [bug 1966618]
Marking services affected/delegated. Affected package is present, but no evidence at this time that the affected method is in use.
ossm-2 marked as affected/delegated, as spec file and yarn both report that trim-newlines is required both directly and indirectly. However, I can't find any usage of trim-newlines in the source code of grafana.
Analysis is complete for Ansible Automation Platform. Though there is affected version trim-newlines package found in dependency list(prod-sec manifest), there is no usage of trim-newlines package or trimNewlinea() function with end() method found in the source code of any component of AAP 1.2. Moreover, as Ansible engineering team has confirmed that "they don't use the trim-newlines package and it's not in their dependency tree", I believe its not in actual use. Also, the below command has returned no output. # npm ls | grep "trim-newlines" Having said that, marking this as "Affected" -> "delegated".
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33623
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:5555 https://access.redhat.com/errata/RHSA-2022:5555