Bug 1943208 (CVE-2021-23362) - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()
Summary: CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service v...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23362
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1943210 1944281 1945509 1945510 1946233 1943209 1943449 1943450 1943451 1943540 1943541 1944279 1944280 1945508 1945511 1945512 1945513 1945514 1945515 1945516 1945517 1945518 1945519 1946234 1946235 1946236 1946237 1947741 1947742 1947743 1947744 1947745 1952387 1981755 1981757 1991584 1991585 1991586 1991587
Blocks: 1943211
TreeView+ depends on / blocked
 
Reported: 2021-03-25 15:09 UTC by Pedro Sampaio
Modified: 2021-09-22 09:00 UTC (History)
73 users (show)

Fixed In Version: hosted-git-info 3.0.8, hosted-git-info 2.8.9
Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service vulnerability was found in hosted-git-info. If an application allows user input into the affected regular expression (regexp) function, `shortcutMatch` or `fromUrl`, then an attacker could craft a regexp which takes an ever increasing amount of time to process, potentially resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2021-07-28 01:07:10 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:32:09 UTC
Red Hat Product Errata RHSA-2021:2931 0 None None None 2021-07-28 08:32:39 UTC
Red Hat Product Errata RHSA-2021:2932 0 None None None 2021-07-28 08:36:01 UTC
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:51 UTC
Red Hat Product Errata RHSA-2021:3073 0 None None None 2021-08-10 13:56:38 UTC
Red Hat Product Errata RHSA-2021:3074 0 None None None 2021-08-10 13:57:15 UTC
Red Hat Product Errata RHSA-2021:3638 0 None None None 2021-09-22 09:00:39 UTC
Red Hat Product Errata RHSA-2021:3639 0 None None None 2021-09-22 08:51:17 UTC

Description Pedro Sampaio 2021-03-25 15:09:30 UTC
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl().

References:

https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355

Fixed releases : hosted-git-info 3.0.8, hosted-git-info 2.8.9

Comment 1 Pedro Sampaio 2021-03-25 15:10:13 UTC
Created nodejs-hosted-git-info tracking bugs for this issue:

Affects: epel-7 [bug 1943210]
Affects: fedora-all [bug 1943209]

Comment 4 Mark Cooper 2021-03-26 04:50:54 UTC
openshift-enterprise-console-container:
   Hoisted in several places but these all lead back to dev dependencies, i.e. hosted-git-info->normalize-package-data->read-pkg->node-sass->devDependency or jest. Also grepped the container js for `shortcutMatch` and `defaultRepresentation` and not hits. So marking not affected.

grafana components (OCP & OSSM);
   - "_project_#read-pkg#normalize-package-data" depends on it
   - Hoisted from "_project_#read-pkg#normalize-package-data#hosted-git-info"
   - Hoisted from "_project_#lerna#@lerna#create#npm-package-arg#hosted-git-info"
   - Hoisted from "_project_#lerna#@lerna#version#@lerna#conventional-commits#conventional-changelog-core#get-pkg-repo#hosted-git-info"

Looking at read-pkg its still only hoisted from dev deps, like jest, lerna etc. Also ran the container and grepped the webpack bundled code - so not affected.

Prometheus component (OCP & OSSM):
=> Found "hosted-git-info@2.8.5"
info Reasons this module exists
   - "eslint-plugin-import#read-pkg-up#read-pkg#normalize-package-data" depends on it
   - Hoisted from "eslint-plugin-import#read-pkg-up#read-pkg#normalize-package-data#hosted-git-info"


Which is hoisted from react-scripts   
   - Specified in "devDependencies"
   - Hoisted from "react-scripts#eslint-plugin-import"
Which react-script is a prod dep - so filed affected/delegated.

Thanos is the same as prometheus, so affected/delegated.

Comment 6 Mark Cooper 2021-03-26 04:58:06 UTC
For openshift-enterprise-console-container: actually correction, looks like it's hoisted also through patternfly-react so filing bug for it.

Comment 18 Jason Shepherd 2021-04-13 06:14:59 UTC
Statement:

While some components do package a vulnerable version of hosted-git-info, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:
  - OpenShift Container Platform (OCP)
  - OpenShift ServiceMesh (OSSM)
  - Red Hat Advanced Cluster Management for Kubernetes (RHACM)

Specifically the following components:
 - The OCP hive-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release.

Red Hat Ceph Storage (RHCS) 4 packages a version of nodejs-hosted-git-info which is vulnerable to this flaw in the grafana-container shipped with it. 

Red Hat Quay includes hosted-git-info as a dependency of karma-coverage which is only used at development time. The hosted-git-info library is not used at runtime so the impact is low for Red Hat Quay.

[1] - https://access.redhat.com/solutions/5707561

Comment 22 Michael Johnson 2021-06-10 12:58:40 UTC
This should be updated to note that version 2.8.9 of hosted-git-info is now unaffected. Dependabot fixed this issue in drift by bumping version. https://github.com/RedHatInsights/drift-frontend/pull/472

Comment 23 errata-xmlrpc 2021-07-27 22:32:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438

Comment 24 Product Security DevOps Team 2021-07-28 01:07:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23362

Comment 25 errata-xmlrpc 2021-07-28 08:32:18 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2931 https://access.redhat.com/errata/RHSA-2021:2931

Comment 26 errata-xmlrpc 2021-07-28 08:35:49 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2932 https://access.redhat.com/errata/RHSA-2021:2932

Comment 27 errata-xmlrpc 2021-08-06 00:50:47 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016

Comment 28 errata-xmlrpc 2021-08-10 13:56:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3073 https://access.redhat.com/errata/RHSA-2021:3073

Comment 29 errata-xmlrpc 2021-08-10 13:57:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3074 https://access.redhat.com/errata/RHSA-2021:3074

Comment 30 errata-xmlrpc 2021-09-22 08:51:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639

Comment 31 errata-xmlrpc 2021-09-22 09:00:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638


Note You need to log in before you can comment on or make changes to this bug.