Bug 1945459 (CVE-2020-28469) - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
Summary: CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-28469
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1948026 1948027 1948029 1948031 1951624 1945464 1946321 1946322 1946323 1946324 1946325 1946326 1946327 1946328 1946329 1946330 1946331 1946332 1948025 1948028 1948030 1948333 1948334 1948335 1948336 1972657 1972658 1972659 1989904 1989905 2028130 2028131 2029479 2029527
Blocks: 1945460
TreeView+ depends on / blocked
 
Reported: 2021-04-01 01:08 UTC by Jason Shepherd
Modified: 2022-02-01 21:14 UTC (History)
42 users (show)

Fixed In Version: nodejs-glob-parent 5.1.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-glob-parent. The enclosure regex used to check for glob enclosures containing backslashes is vulnerable to Regular Expression Denial of Service attacks. This flaw allows an attacker to cause a denial of service if they can supply a malicious string to the glob-parent function. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-05-04 20:33:49 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3400 0 None None None 2021-08-31 20:51:16 UTC
Red Hat Product Errata RHBA-2021:3478 0 None None None 2021-09-09 12:32:56 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:32:09 UTC
Red Hat Product Errata RHSA-2021:2865 0 None None None 2021-07-22 15:12:08 UTC
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:58 UTC
Red Hat Product Errata RHSA-2021:3280 0 None None None 2021-08-26 10:18:49 UTC
Red Hat Product Errata RHSA-2021:3281 0 None None None 2021-08-26 10:15:18 UTC
Red Hat Product Errata RHSA-2021:4626 0 None None None 2021-11-16 14:46:53 UTC
Red Hat Product Errata RHSA-2021:5171 0 None None None 2021-12-15 19:27:55 UTC
Red Hat Product Errata RHSA-2022:0246 0 None None None 2022-01-25 09:23:24 UTC
Red Hat Product Errata RHSA-2022:0350 0 None None None 2022-02-01 21:14:17 UTC

Description Jason Shepherd 2021-04-01 01:08:44 UTC
The enclosure regex used to check for glob enclosures containing backslash is vulnerable to Regular Expression Denial of Service attacks. An attacker can use this flaw to cause a denial of service if they can supply a malicious string to the glob-parent function.

Comment 1 Jason Shepherd 2021-04-01 01:13:41 UTC
External References:

https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905

Comment 3 Jason Shepherd 2021-04-01 01:17:54 UTC
Created nodejs-glob-parent tracking bugs for this issue:

Affects: fedora-all [bug 1945464]

Comment 7 Tomas Hoger 2021-04-09 19:05:11 UTC
This issues affects the version of glob-parent bundled with the nodejs-nodemon packages in Red Ha Software Collections and Red Hat Enterprise Linux 8.  However, there does not seem to be any practical exposure of the issue to untrusted inputs via nodemon, nodemon only uses glob-parent to process paths to directories it is configured to watch.  I.e. the input passed to glob-parent comes form nodemon's configuration file.

Comment 13 Borja Tarraso 2021-04-27 08:57:27 UTC
Statement:

While some components do package a vulnerable version of glob-parent, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:
   - OpenShift Container Platform (OCP)
   - OpenShift ServiceMesh (OSSM)
   - Red Hat Advanced Cluster Management for Kubernetes (RHACM)

Comment 14 errata-xmlrpc 2021-05-04 20:14:50 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1499 https://access.redhat.com/errata/RHSA-2021:1499

Comment 15 Product Security DevOps Team 2021-05-04 20:33:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28469

Comment 17 errata-xmlrpc 2021-07-22 15:12:00 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865

Comment 18 errata-xmlrpc 2021-07-27 22:32:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438

Comment 19 errata-xmlrpc 2021-08-06 00:50:55 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016

Comment 20 errata-xmlrpc 2021-08-26 10:15:16 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281

Comment 21 errata-xmlrpc 2021-08-26 10:18:45 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280

Comment 22 errata-xmlrpc 2021-11-16 14:46:50 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:4626 https://access.redhat.com/errata/RHSA-2021:4626

Comment 25 errata-xmlrpc 2021-12-15 19:27:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171

Comment 26 errata-xmlrpc 2022-01-25 09:23:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246

Comment 27 errata-xmlrpc 2022-02-01 21:14:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350


Note You need to log in before you can comment on or make changes to this bug.