Bug 2216827 (CVE-2023-26115) - CVE-2023-26115 word-wrap: ReDoS
Summary: CVE-2023-26115 word-wrap: ReDoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-26115
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2216844 2216894 2216831 2216832 2216833 2216834 2216835 2216836 2216837 2216838 2216839 2216840 2216841 2216842 2216895 2216896 2217094
Blocks: 2216830
TreeView+ depends on / blocked
 
Reported: 2023-06-22 19:29 UTC by Anten Skrabec
Modified: 2024-03-15 02:54 UTC (History)
116 users (show)

Fixed In Version: word-wrap 1.2.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Node.js word-wrap module, where it is vulnerable to a denial of service caused by a Regular expression denial of service (ReDoS) issue in the result variable. By sending a specially crafted regex input, a remote attacker can cause a denial of service.
Clone Of:
Environment:
Last Closed: 2023-07-12 22:21:21 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3998 0 None None None 2023-07-12 17:58:10 UTC
Red Hat Product Errata RHSA-2023:5006 0 None None None 2023-10-31 12:54:52 UTC
Red Hat Product Errata RHSA-2023:5376 0 None None None 2023-09-27 14:22:46 UTC
Red Hat Product Errata RHSA-2023:5379 0 None None None 2023-09-28 02:59:56 UTC
Red Hat Product Errata RHSA-2023:5447 0 None None None 2023-10-05 01:04:10 UTC
Red Hat Product Errata RHSA-2023:7681 0 None None None 2023-12-12 09:36:37 UTC

Description Anten Skrabec 2023-06-22 19:29:55 UTC 
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.


https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657
https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39
https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973
Comment 3 Avinash Hanwate 2023-06-23 04:58:14 UTC 
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2216894]


Created magicmirror tracking bugs for this issue:

Affects: fedora-all [bug 2216895]


Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 2216896]
Comment 9 errata-xmlrpc 2023-07-12 17:58:07 UTC 
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2023:3998 https://access.redhat.com/errata/RHSA-2023:3998
Comment 10 Product Security DevOps Team 2023-07-12 22:21:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-26115
Comment 14 errata-xmlrpc 2023-09-27 14:22:41 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:5376 https://access.redhat.com/errata/RHSA-2023:5376
Comment 15 errata-xmlrpc 2023-09-28 02:59:51 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.4.0-RHEL-9

Via RHSA-2023:5379 https://access.redhat.com/errata/RHSA-2023:5379
Comment 16 errata-xmlrpc 2023-10-05 01:04:06 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2023:5447 https://access.redhat.com/errata/RHSA-2023:5447
Comment 17 errata-xmlrpc 2023-10-31 12:54:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006
Comment 18 errata-xmlrpc 2023-12-12 09:36:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7681 https://access.redhat.com/errata/RHSA-2023:7681
Note You need to log in before you can comment on or make changes to this bug.