ansi-regex is vulnerable to Inefficient Regular Expression Complexity External Reference: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
Created nodejs-ansi-regex tracking bugs for this issue: Affects: epel-7 [bug 2007559] Affects: fedora-33 [bug 2007558]
Upstream pull request: https://github.com/chalk/ansi-regex/pull/37 Upstream commit: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
This issue was introduced in ansi-regex 3.0.0 via this commit: https://github.com/chalk/ansi-regex/commit/69bebf6b8b1ac9b4d70a411109b88bb650972f65
This issue also affects npm and nodejs-nodemon packages, which bundle affected versions of ansi-regex. There are multiple copies of ansi-regex in each of those packages included as their dependencies.
Upstream bug report for npm about affected ansi-regex versions bundled with npm: https://github.com/npm/cli/issues/3785 The latest npm version at the time - 8.0.0 - is still affected.
The nodejs package are also affected. In addition to including npm with affected ansi-regex versions (see comments above), it also includes a copy of the problematic regular expression in its internal modules: https://github.com/nodejs/node/blob/v14.18.1/lib/internal/util/inspect.js#L201-L208 This regular expression was fixed (using the fix from the ansi-regex module) in nodejs version 16.11.0: https://github.com/nodejs/node/commit/66d310167725dc7785b6cc684f1c3c0b4af8fe6c https://github.com/nodejs/node/pull/40214
This vulnerability is out of security support scope for the following products: * Red Hat AMQ Online Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0041 https://access.redhat.com/errata/RHSA-2022:0041
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3807
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:4711 https://access.redhat.com/errata/RHSA-2022:4711
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.6 Via RHSA-2022:4814 https://access.redhat.com/errata/RHSA-2022:4814
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:5483 https://access.redhat.com/errata/RHSA-2022:5483
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:5555 https://access.redhat.com/errata/RHSA-2022:5555
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595