1879733 – (CVE-2020-7733) CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via the regex

Bug 1879733 (CVE-2020-7733) - CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via the regex

Summary: CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via t...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-7733
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1973627 1973628 1973629 1879793 1880981 1880982 1910065 1972550 1972551
Blocks:	1879735
TreeView+	depends on / blocked

Reported:	2020-09-16 20:40 UTC by Pedro Sampaio
Modified:	2021-11-16 14:46 UTC (History)
CC List:	34 users (show)
Fixed In Version:	nodejs-ua-parser-js 0.7.22
Clone Of:
Environment:
Last Closed:	2021-07-22 15:54:42 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:2865	0	None	None	None	2021-07-22 15:11:52 UTC
Red Hat Product Errata	RHSA-2021:4626	0	None	None	None	2021-11-16 14:46:49 UTC

Description Pedro Sampaio 2020-09-16 20:40:51 UTC

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

References:

https://github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557d
https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666

Comment 4 Przemyslaw Roguski 2020-09-17 14:50:50 UTC

Statement:

Red Hat OpenShift Container Platform 4 delivers the kibana package where the ua-parser-js library is bundled, but during the update to container first (to openshift4/ose-logging-kibana6) the dependency was removed and hence kibana package is marked as wontfix. This may be fixed in the future.

Comment 7 juneau 2020-10-08 14:04:26 UTC

Marking  services-automation-service-catalog and services-management-platform as "notaffected."

Comment 8 Przemyslaw Roguski 2020-12-15 19:13:39 UTC

External References:

https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226

Comment 15 errata-xmlrpc 2021-07-22 15:11:48 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865

Comment 16 Product Security DevOps Team 2021-07-22 15:54:42 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7733

Comment 17 errata-xmlrpc 2021-11-16 14:46:47 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:4626 https://access.redhat.com/errata/RHSA-2021:4626

Note You need to log in before you can comment on or make changes to this bug.

abonas
alegrand
anpicker
aos-bugs
bmontgom
dblechte
dfediuck
eedri
eparis
erooth
gparvin
hvyas
jburrell
jcantril
jokerman
jramanat
jweiser
kakkoyun
kconner
lcosic
mgoldboi
michal.skrivanek
nstielau
pkrupa
rcernich
sbonazzo
sgratch
sherold
sponnaga
stcannon
surbania
tfister
thee
yturgema