2170644 – (CVE-2022-38900) CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS

Bug 2170644 (CVE-2022-38900) - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS

Summary: CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-38900
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2149084 (view as bug list)
Depends On:	2170649 2170650 2170664 2222350 2170648 2170651 2170652 2170653 2170654 2170655 2170656 2170657 2170658 2170660 2170661 2170662 2170663 2170665 2170666 2170667 2170668 2170669 2170670 2170671 2170672 2171806 2171807 2171808 2174577 2174772 2174773 2174774 2174775 2174776 2174777 2174778 2174779 2174780 2174781 2174782 2174783 2174784 2174785 2174786 2174787 2174788 2174789 2174790 2174791 2174792 2174793 2174794 2174795 2174796 2174797 2174798 2174799 2174800 2174801 2174802 2174803 2174804 2174805 2174806 2174807 2174808 2174809 2174810 2174811 2174812 2174813 2174814 2174815 2174816 2174817 2174818 2174819 2174820 2174821 2174822 2174823 2174824 2174825 2174826 2174827 2174828 2174829 2174830 2174831 2174832 2174843
Blocks:	2169680
TreeView+	depends on / blocked

Reported:	2023-02-16 21:20 UTC by Anten Skrabec
Modified:	2024-03-19 13:55 UTC (History)
CC List:	159 users (show)
Fixed In Version:	decode-uri-component 0.2.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2023-04-12 21:06:21 UTC
Embargoed:
Flags:	jwon: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2023:1546	None	None	None	2023-04-03 12:04:14 UTC
Red Hat Product Errata	RHBA-2023:1776	None	None	None	2023-04-13 14:58:55 UTC
Red Hat Product Errata	RHBA-2023:1799	None	None	None	2023-04-17 07:30:53 UTC
Red Hat Product Errata	RHBA-2023:1807	None	None	None	2023-04-17 14:08:05 UTC
Red Hat Product Errata	RHBA-2023:1808	None	None	None	2023-04-17 14:08:18 UTC
Red Hat Product Errata	RHBA-2023:1856	None	None	None	2023-04-18 22:33:21 UTC
Red Hat Product Errata	RHBA-2023:1927	None	None	None	2023-04-24 01:07:55 UTC
Red Hat Product Errata	RHSA-2023:1428	None	None	None	2023-03-23 02:16:39 UTC
Red Hat Product Errata	RHSA-2023:1533	None	None	None	2023-03-30 12:36:10 UTC
Red Hat Product Errata	RHSA-2023:1742	None	None	None	2023-04-12 14:58:57 UTC
Red Hat Product Errata	RHSA-2023:1743	None	None	None	2023-04-12 14:59:22 UTC
Red Hat Product Errata	RHSA-2023:1744	None	None	None	2023-04-12 15:07:45 UTC
Red Hat Product Errata	RHSA-2023:3742	None	None	None	2023-06-22 19:52:30 UTC
Red Hat Product Errata	RHSA-2023:4983	None	None	None	2023-09-05 18:37:29 UTC
Red Hat Product Errata	RHSA-2023:6316	None	None	None	2023-11-07 08:12:58 UTC

Description Anten Skrabec 2023-02-16 21:20:08 UTC

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. 

https://github.com/SamVerschueren/decode-uri-component/issues/5

Comment 1 Anten Skrabec 2023-02-16 21:36:32 UTC

Created cockatrice tracking bugs for this issue:

Affects: fedora-36 [bug 2170652]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-36 [bug 2170653]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2170649]


Created grafana tracking bugs for this issue:

Affects: fedora-36 [bug 2170654]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-36 [bug 2170655]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-36 [bug 2170656]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2170650]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-36 [bug 2170657]


Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 2170648]


Created yarnpkg tracking bugs for this issue:

Affects: epel-8 [bug 2170651]


Created zuul tracking bugs for this issue:

Affects: fedora-36 [bug 2170658]

Comment 13 Pedro Sampaio 2023-02-28 12:04:31 UTC

*** Bug 2149084 has been marked as a duplicate of this bug. ***

Comment 14 Anten Skrabec 2023-03-01 21:12:15 UTC

Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2174577]

Comment 23 errata-xmlrpc 2023-03-23 02:16:32 UTC

This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428

Comment 27 errata-xmlrpc 2023-03-30 12:36:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533

Comment 28 errata-xmlrpc 2023-04-12 14:58:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742

Comment 29 errata-xmlrpc 2023-04-12 14:59:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743

Comment 30 errata-xmlrpc 2023-04-12 15:07:38 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:1744 https://access.redhat.com/errata/RHSA-2023:1744

Comment 31 Product Security DevOps Team 2023-04-12 21:06:11 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-38900

Comment 34 errata-xmlrpc 2023-06-22 19:52:21 UTC

This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742

Comment 35 Marian Rehak 2023-07-12 15:07:06 UTC

Created yarnpkg tracking bugs for this issue:

Affects: epel-8 [bug 2222350]

Comment 37 errata-xmlrpc 2023-09-05 18:37:19 UTC

This issue has been addressed in the following products:

  RHPAM 7.13.4 async

Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983

Comment 38 errata-xmlrpc 2023-11-07 08:12:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6316 https://access.redhat.com/errata/RHSA-2023:6316

Note You need to log in before you can comment on or make changes to this bug.

acrosby
adudiak
aileenc
alampare
alazarot
amctagga
aoconnor
asoldano
aveerama
bbaranow
bbuckingham
bcoca
bcourt
bdettelb
bmaxwell
brian.stansberry
btotty
caswilli
cdewolf
chazlett
cluster-maint
cwelton
darran.lofthouse
davidn
dcadzow
dffrench
dfreiber
dhanak
dkreling
dkuc
dosoudil
dshah
dymurray
ehelms
ellin
emingora
epacific
eric.wittmann
fdeutsch
fjansen
fjuma
fmuellner
ggrzybek
gjospin
gmalinko
gparvin
grafana-maint
gzaronik
hbraun
hhorak
hkataria
iamtedwon
ibek
ibolton
idevat
idm-ds-dev-bugs
ivassile
iweiss
janstey
jburrell
jcammara
jcantril
jhardy
jhorak
jkoehler
jkurik
jmatthew
jmitchel
jmontleo
jneedle
jobarker
jorton
jpavlik
jrokos
jshaughn
jsherril
jstanek
jtanner
jwendell
jwon
kaycoth
kshier
kverlaen
lbacciot
lgao
lzap
mabashia
mbenatto
mhulan
micjohns
mlisik
mnovotny
mokumar
mosmerov
mpitt
mpospisi
mrehak
msochure
msvehla
mwringe
nathans
nbecker
nboldt
ngough
njean
nmoumoul
nodejs-maint
nwallace
ocs-bugs
omular
orabin
oramraz
osapryki
ovanders
owatkins
pahickey
pantinor
pcreech
pdelbell
peholase
periklis
pjindal
pmackay
psegedy
rcernich
rchan
rgarg
rgodfrey
rguimara
rjohnson
rogbas
rrajasek
rstancel
scorneli
scox
shbose
simaishi
slucidi
smaestri
smcdonal
smullick
sseago
stcannon
sthirugn
stransky
tasato
teagle
tfister
tkasparek
tojeline
tom.jenkinson
tpopela
tsasak
twalsh
ubhargav
vkumar
yguenane
zsadeh
zsvetlik