Bug 2156324 (CVE-2021-35065) - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
Summary: CVE-2021-35065 glob-parent: Regular Expression Denial of Service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-35065
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2156636 2156444 2156445 2156446 2156447 2156448 2156449 2156450 2156451 2156452 2156453 2156454 2156455 2156456 2156457 2156462 2156637 2156638 2156639 2156640 2156641 2156642 2156643 2156644 2156645 2156646 2156647 2156648 2156649 2156650 2156651 2156652 2156653 2156654 2156655 2156656 2156657 2156658 2156659 2156660 2175829 2175830 2175831 2175832 2178079 2178080 2178081 2178082 2178083 2178084 2178085 2178144 2178145 2178146
Blocks: 2156325
TreeView+ depends on / blocked
 
Reported: 2022-12-26 12:21 UTC by Avinash Hanwate
Modified: 2023-09-26 21:14 UTC (History)
138 users (show)

Fixed In Version: glob-parent 6.0.1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
Clone Of:
Environment:
Last Closed: 2023-02-12 15:09:36 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1546 0 None None None 2023-04-03 12:04:01 UTC
Red Hat Product Errata RHBA-2023:1807 0 None None None 2023-04-17 14:08:00 UTC
Red Hat Product Errata RHBA-2023:1808 0 None None None 2023-04-17 14:08:10 UTC
Red Hat Product Errata RHBA-2023:1856 0 None None None 2023-04-18 22:33:14 UTC
Red Hat Product Errata RHBA-2023:1927 0 None None None 2023-04-24 01:07:47 UTC
Red Hat Product Errata RHSA-2023:0612 0 None None None 2023-02-06 19:39:51 UTC
Red Hat Product Errata RHSA-2023:0634 0 None None None 2023-02-09 14:01:18 UTC
Red Hat Product Errata RHSA-2023:0934 0 None None None 2023-02-28 00:50:50 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:44:09 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:46:38 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:49:06 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:50:09 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 22:00:12 UTC
Red Hat Product Errata RHSA-2023:1533 0 None None None 2023-03-30 12:35:55 UTC
Red Hat Product Errata RHSA-2023:1582 0 None None None 2023-04-04 09:48:22 UTC
Red Hat Product Errata RHSA-2023:1583 0 None None None 2023-04-04 09:48:39 UTC
Red Hat Product Errata RHSA-2023:1742 0 None None None 2023-04-12 14:58:39 UTC
Red Hat Product Errata RHSA-2023:1743 0 None None None 2023-04-12 14:59:05 UTC
Red Hat Product Errata RHSA-2023:2654 0 None None None 2023-05-09 11:46:34 UTC

Description Avinash Hanwate 2022-12-26 12:21:37 UTC 
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.

https://github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339
https://github.com/gulpjs/glob-parent/pull/49
https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294
Comment 4 Avinash Hanwate 2022-12-28 04:10:37 UTC 
Created cockatrice tracking bugs for this issue:

Affects: fedora-36 [bug 2156638]


Created gnome-shell-extension-material-shell tracking bugs for this issue:

Affects: fedora-36 [bug 2156639]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-36 [bug 2156640]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2156636]


Created grafana tracking bugs for this issue:

Affects: fedora-36 [bug 2156641]


Created llhttp tracking bugs for this issue:

Affects: fedora-37 [bug 2156650]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-36 [bug 2156642]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-36 [bug 2156643]


Created nodejs-diagnostic-language-server tracking bugs for this issue:

Affects: fedora-36 [bug 2156644]
Affects: fedora-37 [bug 2156651]


Created nodejs-nodemon tracking bugs for this issue:

Affects: fedora-36 [bug 2156645]


Created pcs tracking bugs for this issue:

Affects: fedora-36 [bug 2156646]
Affects: fedora-37 [bug 2156652]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-37 [bug 2156653]


Created seamonkey tracking bugs for this issue:

Affects: epel-8 [bug 2156637]
Affects: fedora-36 [bug 2156647]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-36 [bug 2156648]
Affects: fedora-37 [bug 2156654]


Created zuul tracking bugs for this issue:

Affects: fedora-36 [bug 2156649]
Comment 20 errata-xmlrpc 2023-02-06 19:39:45 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612
Comment 22 errata-xmlrpc 2023-02-09 14:01:11 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0634 https://access.redhat.com/errata/RHSA-2023:0634
Comment 23 Product Security DevOps Team 2023-02-12 15:09:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-35065
Comment 24 errata-xmlrpc 2023-02-28 00:50:45 UTC 
This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934
Comment 25 errata-xmlrpc 2023-03-01 21:44:05 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
Comment 26 errata-xmlrpc 2023-03-01 21:46:32 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
Comment 27 errata-xmlrpc 2023-03-01 21:49:02 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
Comment 28 errata-xmlrpc 2023-03-01 21:50:03 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
Comment 29 errata-xmlrpc 2023-03-01 22:00:07 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
Comment 31 errata-xmlrpc 2023-03-30 12:35:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
Comment 32 errata-xmlrpc 2023-04-04 09:48:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
Comment 33 errata-xmlrpc 2023-04-04 09:48:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1583 https://access.redhat.com/errata/RHSA-2023:1583
Comment 34 errata-xmlrpc 2023-04-12 14:58:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Comment 35 errata-xmlrpc 2023-04-12 14:58:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743
Comment 36 errata-xmlrpc 2023-05-09 11:46:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654
Note You need to log in before you can comment on or make changes to this bug.