The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Upstream issue: https://github.com/broofa/node-mime/issues/167 Upstream patches: https://github.com/broofa/node-mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d https://github.com/broofa/node-mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0
Created nodejs-mime tracking bugs for this issue: Affects: epel-all [bug 1500701] Affects: fedora-all [bug 1500702]
External References: https://nodesecurity.io/advisories/535
This issue affects the versions of rh-nodejs4-nodejs-mime as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created nodejs-mime tracking bugs for this issue: Affects: openshift-1 [bug 1516749]
The vulnerable function call, mime.lookup, is not used in any RHMAP services. Marking it as not affected.
Statement: Red Hat Virtualization 4.2 EUS contained a vulnerable version of nodejs-mime in the ovirt-engine-dashboard package. This package has been removed in Red Hat Virtualization 4.2. Red Hat Quay includes mime as a dependency of Karma. It's only used at build time, not runtime so this vulnerability has a low impact of Red Hat Quay.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917