Bug 2134609 (CVE-2022-3517, PRISMA-2022-0039) - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
Summary: CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3517, PRISMA-2022-0039
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2135441 2135442 2135443 2135444 2135445 2136882 2134945 2135440 2135446 2135447 2135448 2135449 2135450 2135451 2135452 2135453 2135454 2135455 2135456 2135457 2135458 2135459 2135460 2135461 2135462 2135464 2135465 2135466 2135467 2135468 2135469 2135470 2135471 2135472 2135473 2135482 2135483 2135484 2135485 2135486 2135487 2135488 2135489 2135490 2135491 2135492 2135493 2135494 2135495 2135497 2135499 2135501 2135502 2135503 2135504 2135505 2135506 2135507 2135508 2135509 2135518 2135519 2135520 2135667 2135668 2135669 2135670 2135671 2135672 2135887 2135888 2135889 2135890 2135891 2135892 2135893 2136816 2136817 2137247 2137248 2137745 2142825 2142826 2142827 2142828 2142829 2142830 2142832 2142833 2142834 2142835 2142837 2142839 2142841 2142842 2142843 2142844 2142845 2142846 2151880 2160552 2212561
Blocks: 2102890 2134950
TreeView+ depends on / blocked
 
Reported: 2022-10-13 18:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-03-15 11:21 UTC (History)
177 users (show)

Fixed In Version: nodejs-minimatch 3.0.5
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Clone Of:
Environment:
Last Closed: 2023-02-10 05:46:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1546 0 None None None 2023-04-03 12:03:44 UTC
Red Hat Product Errata RHBA-2023:1807 0 None None None 2023-04-17 14:07:58 UTC
Red Hat Product Errata RHBA-2023:1808 0 None None None 2023-04-17 14:08:08 UTC
Red Hat Product Errata RHBA-2023:1856 0 None None None 2023-04-18 22:33:14 UTC
Red Hat Product Errata RHBA-2023:1927 0 None None None 2023-04-24 01:07:47 UTC
Red Hat Product Errata RHSA-2022:8832 0 None None None 2022-12-06 15:32:53 UTC
Red Hat Product Errata RHSA-2022:8833 0 None None None 2022-12-06 15:35:33 UTC
Red Hat Product Errata RHSA-2022:9040 0 None None None 2022-12-14 22:40:34 UTC
Red Hat Product Errata RHSA-2022:9073 0 None None None 2022-12-15 16:16:56 UTC
Red Hat Product Errata RHSA-2023:0050 0 None None None 2023-01-09 14:50:48 UTC
Red Hat Product Errata RHSA-2023:0321 0 None None None 2023-01-23 15:19:28 UTC
Red Hat Product Errata RHSA-2023:0471 0 None None None 2023-01-26 12:15:06 UTC
Red Hat Product Errata RHSA-2023:0612 0 None None None 2023-02-06 19:39:44 UTC
Red Hat Product Errata RHSA-2023:0630 0 None None None 2023-02-07 18:37:00 UTC
Red Hat Product Errata RHSA-2023:1533 0 None None None 2023-03-30 12:35:45 UTC
Red Hat Product Errata RHSA-2023:1742 0 None None None 2023-04-12 14:58:34 UTC
Red Hat Product Errata RHSA-2023:1743 0 None None None 2023-04-12 14:59:06 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:52:09 UTC

Description Guilherme de Almeida Suckevicz 2022-10-13 18:07:59 UTC 
The nodejs-minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). It's possible to cause a denial of service when calling the braceExpand function.

References:
https://github.com/grafana/grafana-image-renderer/issues/329
Comment 1 Guilherme de Almeida Suckevicz 2022-10-14 17:53:27 UTC 
Upstream fix:
https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6
Comment 3 Guilherme de Almeida Suckevicz 2022-10-17 16:53:43 UTC 
Created breeze-icon-theme tracking bugs for this issue:

Affects: epel-all [bug 2135441]
Affects: fedora-all [bug 2135447]


Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2135448]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2135449]


Created fawkes tracking bugs for this issue:

Affects: fedora-all [bug 2135450]


Created gnome-shell-extension-material-shell tracking bugs for this issue:

Affects: fedora-all [bug 2135451]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2135452]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2135442]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2135453]


Created librealsense tracking bugs for this issue:

Affects: fedora-all [bug 2135454]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2135455]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2135456]


Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135440]


Created nodejs-bash-language-server tracking bugs for this issue:

Affects: fedora-all [bug 2135457]


Created nodejs-diagnostic-language-server tracking bugs for this issue:

Affects: fedora-all [bug 2135458]


Created nodejs-minimatch tracking bugs for this issue:

Affects: epel-all [bug 2135443]


Created nodejs-nodemon tracking bugs for this issue:

Affects: fedora-all [bug 2135459]


Created nodejs-tape tracking bugs for this issue:

Affects: fedora-all [bug 2135460]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135461]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2135444]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135462]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135464]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2135445]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135465]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135466]


Created opencc tracking bugs for this issue:

Affects: fedora-all [bug 2135467]


Created perl-Code-TidyAll tracking bugs for this issue:

Affects: fedora-all [bug 2135468]


Created python-howdoi tracking bugs for this issue:

Affects: fedora-all [bug 2135469]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2135446]
Affects: fedora-all [bug 2135470]


Created tdlib tracking bugs for this issue:

Affects: fedora-all [bug 2135471]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2135472]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2135473]
Comment 23 errata-xmlrpc 2022-12-06 15:32:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8832 https://access.redhat.com/errata/RHSA-2022:8832
Comment 24 errata-xmlrpc 2022-12-06 15:35:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:8833 https://access.redhat.com/errata/RHSA-2022:8833
Comment 25 errata-xmlrpc 2022-12-14 22:40:26 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:9040 https://access.redhat.com/errata/RHSA-2022:9040
Comment 26 errata-xmlrpc 2022-12-15 16:16:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073
Comment 38 errata-xmlrpc 2023-01-09 14:50:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050
Comment 46 errata-xmlrpc 2023-01-23 15:19:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321
Comment 47 errata-xmlrpc 2023-01-26 12:14:54 UTC 
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:0471 https://access.redhat.com/errata/RHSA-2023:0471
Comment 56 errata-xmlrpc 2023-02-06 19:39:34 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612
Comment 57 errata-xmlrpc 2023-02-07 18:36:52 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0630 https://access.redhat.com/errata/RHSA-2023:0630
Comment 58 Product Security DevOps Team 2023-02-10 05:46:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3517
Comment 59 errata-xmlrpc 2023-03-30 12:35:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
Comment 60 errata-xmlrpc 2023-04-12 14:58:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Comment 61 errata-xmlrpc 2023-04-12 14:58:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743
Comment 62 errata-xmlrpc 2023-06-22 19:51:58 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Note You need to log in before you can comment on or make changes to this bug.