A Regular expression denial-of-service vulnerability was found in nodejs-brace-expansion. Running a specially crafted command would cause the application to hang for long periods of time. References: https://snyk.io/vuln/npm:brace-expansion:20170302 Upstream bug: https://github.com/juliangruber/brace-expansion/issues/33 Upstream patch: https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
Created nodejs-brace-expansion tracking bugs for this issue: Affects: fedora-all [bug 1448381]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-18077
Statement: Red Hat Quay include brace-explansion as a build time dependency. It's not used at runtime and hence has a reduce impact of low.