2131335 – (CVE-2022-21222) CVE-2022-21222 css-what: ReDoS due to insecure regular expression

Bug 2131335 (CVE-2022-21222) - CVE-2022-21222 css-what: ReDoS due to insecure regular expression

Summary: CVE-2022-21222 css-what: ReDoS due to insecure regular expression

Keywords:
Status:	NEW
Alias:	CVE-2022-21222
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2134316 2134317 2134318 2134319 2134320 2134321 2134322 2134323 2134324 2134326
Blocks:	2131336
TreeView+	depends on / blocked

Reported:	2022-09-30 17:52 UTC by Sage McTaggart
Modified:	2024-02-01 09:01 UTC (History)
CC List:	116 users (show)
Fixed In Version:	css-what 2.1.3
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the css-what package. The flaw allows Regular expression denial of service (ReDoS) attacks, affecting system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Sage McTaggart 2022-09-30 17:52:38 UTC

The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12

Comment 4 Patrick Del Bello 2022-10-13 07:23:50 UTC

Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2134317]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2134318]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2134319]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2134316]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2134320]


Created nodejs-svgo tracking bugs for this issue:

Affects: fedora-all [bug 2134321]


Created npm-name-cli tracking bugs for this issue:

Affects: fedora-all [bug 2134322]


Created python-pydata-sphinx-theme tracking bugs for this issue:

Affects: fedora-all [bug 2134323]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2134324]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2134326]

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
aileenc
alazarot
asoldano
balejosg
bbaranow
bbuckingham
bcoca
bcourt
bmaxwell
brian.stansberry
cdewolf
chazlett
cluster-maint
darran.lofthouse
davidn
dkreling
dosoudil
dwhatley
dymurray
ehelms
emingora
epacific
epel-packagers-sig
eric.wittmann
etirelli
extras-orphan
fdeutsch
fjuma
gmalinko
go-sig
gparvin
grafana-maint
ibek
ibolton
idevat
iweiss
janstey
jburrell
jcammara
jcantril
jhardy
jkurik
jmatthew
jmontleo
jneedle
jobarker
jochrist
jrokos
jross
jshaughn
jsherril
jwendell
jwon
kmalyjur
kverlaen
lemenkov
lgao
link
loganjerry
lzap
mabashia
manisandro
mgoodwin
mhulan
michel
mlisik
mmccune
mnovotny
mosmerov
mpospisi
msochure
msvehla
mwringe
nathans
nboldt
ngompa13
njean
nmoumoul
nwallace
omular
openstack-sig
orabin
oramraz
osapryki
oskutka
pabelanger
pahickey
pantinor
pcreech
pdelbell
peholase
periklis
pjindal
pmackay
rcernich
rchan
rgodfrey
rguimara
rstancel
scorneli
simaishi
slucidi
smaestri
smcdonal
smullick
sseago
stcannon
tojeline
tom.jenkinson
twalsh
tzimanyi
vkumar
yguenane
zebob.m
zsadeh