Bug 2131335 (CVE-2022-21222) - CVE-2022-21222 css-what: ReDoS due to insecure regular expression
Summary: CVE-2022-21222 css-what: ReDoS due to insecure regular expression
Keywords:
Status: NEW
Alias: CVE-2022-21222
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2134316 2134317 2134318 2134319 2134320 2134321 2134322 2134326 2134323 2134324
Blocks: 2131336
TreeView+ depends on / blocked
 
Reported: 2022-09-30 17:52 UTC by Sage McTaggart
Modified: 2023-01-20 05:19 UTC (History)
128 users (show)

Fixed In Version: css-what 2.1.3
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the css-what package. The flaw allows Regular expression denial of service (ReDoS) attacks, affecting system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Sage McTaggart 2022-09-30 17:52:38 UTC
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12

Comment 4 Patrick Del Bello 2022-10-13 07:23:50 UTC
Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2134317]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2134318]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2134319]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2134316]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2134320]


Created nodejs-svgo tracking bugs for this issue:

Affects: fedora-all [bug 2134321]


Created npm-name-cli tracking bugs for this issue:

Affects: fedora-all [bug 2134322]


Created python-pydata-sphinx-theme tracking bugs for this issue:

Affects: fedora-all [bug 2134323]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2134324]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2134326]


Note You need to log in before you can comment on or make changes to this bug.