Bug 1966615 (CVE-2021-33623) - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method
Summary: CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33623
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1970204 1975320 1966618 1970052 1970054 1970055 1971653 1972725 1972726 1972727 1972728 1972729 1972730 1972731 1972732 1975642 1975643
Blocks: 1966616
TreeView+ depends on / blocked
 
Reported: 2021-06-01 14:05 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-03-14 13:40 UTC (History)
53 users (show)

Fixed In Version: trim-newlines 3.0.1, trim-newlines 4.0.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-trim-newlines. Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Clone Of:
Environment:
Last Closed: 2021-08-06 01:07:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:51:29 UTC
Red Hat Product Errata RHSA-2021:4618 0 None None None 2021-11-11 18:32:13 UTC
Red Hat Product Errata RHSA-2022:5555 0 None None None 2022-07-14 12:54:12 UTC

Description Guilherme de Almeida Suckevicz 2021-06-01 14:05:52 UTC 
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Reference:
https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1
Comment 1 Guilherme de Almeida Suckevicz 2021-06-01 14:08:23 UTC 
Created nodejs-trim-newlines tracking bugs for this issue:

Affects: fedora-33 [bug 1966618]
Comment 2 juneau 2021-06-09 17:16:59 UTC 
Marking services affected/delegated. Affected package is present, but no evidence at this time that the affected method is in use.
Comment 4 Anten Skrabec 2021-06-09 17:41:11 UTC 
ossm-2 marked as affected/delegated, as spec file and yarn both report that trim-newlines is required both directly and indirectly. However, I can't find any usage of trim-newlines in the source code of grafana.
Comment 6 Tapas Jena 2021-06-10 05:24:41 UTC 
Analysis is complete for Ansible Automation Platform. Though there is affected version trim-newlines package found in dependency list(prod-sec manifest), there is no usage of trim-newlines package or trimNewlinea() function with end() method found in the source code of any component of AAP 1.2. Moreover, as Ansible engineering team has confirmed that "they don't use the trim-newlines package and it's not in their dependency tree", I believe its not in actual use. Also, the below command has returned no output.

# npm ls | grep "trim-newlines"

Having said that, marking this as "Affected" -> "delegated".
Comment 15 errata-xmlrpc 2021-08-06 00:51:26 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 16 Product Security DevOps Team 2021-08-06 01:07:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33623
Comment 17 errata-xmlrpc 2021-11-11 18:32:11 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618
Comment 18 errata-xmlrpc 2022-07-14 12:54:10 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:5555 https://access.redhat.com/errata/RHSA-2022:5555
Note You need to log in before you can comment on or make changes to this bug.