1907451 – (CVE-2020-7793) CVE-2020-7793 nodejs-ua-parser-js: ReDoS in multiple regexes

Bug 1907451 (CVE-2020-7793) - CVE-2020-7793 nodejs-ua-parser-js: ReDoS in multiple regexes

Summary: CVE-2020-7793 nodejs-ua-parser-js: ReDoS in multiple regexes

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-7793
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1976216 1879793 1880981 1880982 1907524 1907525 1908118 1908119 1908120 1910065 1924698
Blocks:	1907452
TreeView+	depends on / blocked

Reported:	2020-12-14 14:38 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-10-28 08:41 UTC (History)
CC List:	24 users (show)
See Also:	https://issues.redhat.com/browse/POL-406 https://issues.redhat.com/browse/MIGENG-882 https://issues.redhat.com//browse/MIGENG-882 https://issues.redhat.com//browse/POL-406
Fixed In Version:	nodejs-ua-parser-js 0.7.23
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in nodejs-ua-parser-js. The software is vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes.
Clone Of:
Environment:
Last Closed:	2021-10-28 08:41:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-12-14 14:38:45 UTC

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Reference:
https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599

Upstream patch:
https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18

Comment 4 Przemyslaw Roguski 2020-12-15 19:12:59 UTC

External References:

https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599

Comment 5 Sage McTaggart 2020-12-15 21:02:16 UTC

Statement:

Red Hat OpenShift Container Platform 4 delivers the kibana package where the ua-parser-js library is bundled, but during the update to container first (to openshift4/ose-logging-kibana6) the dependency was removed and hence kibana package is marked as wontfix. This may be fixed in the future.

Red Hat Ceph Storage 3 and 4 ship a version of grafana that pulls a version of ua-parser-js (0.7.9) that uses the affected code.

Note You need to log in before you can comment on or make changes to this bug.

amctagga
anpicker
aos-bugs
bmontgom
branto
eparis
erooth
gghezzo
gparvin
hvyas
jburrell
jcantril
jokerman
jramanat
jweiser
kaycoth
lcosic
nstielau
rcernich
sadams
sponnaga
stcannon
surbania
thee