2216827 – (CVE-2023-26115) CVE-2023-26115 word-wrap: ReDoS

Bug 2216827 (CVE-2023-26115) - CVE-2023-26115 word-wrap: ReDoS

Summary: CVE-2023-26115 word-wrap: ReDoS

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-26115
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2216831 2216832 2216833 2216834 2216835 2216844 2216894 2216836 2216837 2216838 2216839 2216840 2216841 2216842 2216895 2216896 2217094
Blocks:	2216830
TreeView+	depends on / blocked

Reported:	2023-06-22 19:29 UTC by Anten Skrabec
Modified:	2023-08-10 10:00 UTC (History)
CC List:	116 users (show)
Fixed In Version:	word-wrap 1.2.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Node.js word-wrap module, where it is vulnerable to a denial of service caused by a Regular expression denial of service (ReDoS) issue in the result variable. By sending a specially crafted regex input, a remote attacker can cause a denial of service.
Clone Of:
Environment:
Last Closed:	2023-07-12 22:21:21 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:3998	0	None	None	None	2023-07-12 17:58:10 UTC

Description Anten Skrabec 2023-06-22 19:29:55 UTC

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.


https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657
https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39
https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973

Comment 3 Avinash Hanwate 2023-06-23 04:58:14 UTC

Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2216894]


Created magicmirror tracking bugs for this issue:

Affects: fedora-all [bug 2216895]


Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 2216896]

Comment 9 errata-xmlrpc 2023-07-12 17:58:07 UTC

This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2023:3998 https://access.redhat.com/errata/RHSA-2023:3998

Comment 10 Product Security DevOps Team 2023-07-12 22:21:15 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-26115

Note You need to log in before you can comment on or make changes to this bug.

aazores
adupliak
aileenc
alampare
alazarot
amctagga
ansmith
aveerama
bdettelb
boliveir
caswilli
chazlett
cluster-maint
dcadzow
dffrench
dfreiber
dhalasz
dhanak
dkenigsb
dkuc
drichtar
dymurray
eaguilar
ebaron
ellin
emingora
eric.wittmann
fdeutsch
fdupont
fjansen
gjospin
gmalinko
gparvin
grafana-maint
gzaronik
hbraun
hkataria
ibek
ibolton
idevat
janstey
jburrell
jcantril
jkang
jkoehler
jkurik
jmatthew
jmitchel
jmontleo
jpallich
jpavlik
jrokos
jross
jscotka
jshaughn
jtanner
jwendell
kaycoth
kshier
kverlaen
lbacciot
mcressma
micjohns
mlisik
mnovotny
mpitt
mpospisi
mresvani
nathans
nbecker
nboldt
ngough
njean
ocs-bugs
omular
oramraz
owatkins
pahickey
pantinor
pdelbell
pdrozd
peholase
periklis
pjindal
psegedy
pskopek
rcernich
release-test-team
rgarg
rgodfrey
rguimara
rjohnson
rogbas
rowaters
saroy
scorneli
scox
sfroberg
sgott
shbose
slucidi
smullick
sseago
stcannon
sthirugn
sthorger
tcarlin
teagle
tkasparek
tojeline
tsasak
twalsh
ubhargav
vkrizan
vkumar
vmugicag