Bug 2134609 (CVE-2022-3517, PRISMA-2022-0039) - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
Summary: CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
Keywords:
Status: NEW
Alias: CVE-2022-3517, PRISMA-2022-0039
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2134945 2135440 2135441 2135442 2135443 2135444 2135445 2135447 2135448 2135449 2135450 2135451 2135452 2135453 2135457 2135458 2135459 2135460 2135461 2135462 2135464 2135465 2135466 2135467 2135473 2135488 2135489 2135490 2135491 2135492 2135493 2135497 2135504 2135505 2135506 2135507 2135519 2135520 2135667 2135669 2135670 2135671 2135672 2135889 2136882 2137745 2142825 2142827 2142828 2142833 2142835 2142839 2142842 2151880 2160552 2135446 2135454 2135455 2135456 2135468 2135469 2135470 2135471 2135472 2135482 2135483 2135484 2135485 2135486 2135487 2135494 2135495 2135499 2135501 2135502 2135503 2135508 2135509 2135518 2135668 2135887 2135888 2135890 2135891 2135892 2135893 2136816 2136817 2137247 2137248 2142826 2142829 2142830 2142832 2142834 2142837 2142841 2142843 2142844 2142845 2142846
Blocks: 2102890 2134950
TreeView+ depends on / blocked
 
Reported: 2022-10-13 18:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-01-26 12:15 UTC (History)
182 users (show)

Fixed In Version: nodejs-minimatch 3.0.5
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8832 0 None None None 2022-12-06 15:32:53 UTC
Red Hat Product Errata RHSA-2022:8833 0 None None None 2022-12-06 15:35:33 UTC
Red Hat Product Errata RHSA-2022:9040 0 None None None 2022-12-14 22:40:34 UTC
Red Hat Product Errata RHSA-2022:9073 0 None None None 2022-12-15 16:16:56 UTC
Red Hat Product Errata RHSA-2023:0050 0 None None None 2023-01-09 14:50:48 UTC
Red Hat Product Errata RHSA-2023:0321 0 None None None 2023-01-23 15:19:28 UTC
Red Hat Product Errata RHSA-2023:0471 0 None None None 2023-01-26 12:15:06 UTC

Description Guilherme de Almeida Suckevicz 2022-10-13 18:07:59 UTC
The nodejs-minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). It's possible to cause a denial of service when calling the braceExpand function.

References:
https://github.com/grafana/grafana-image-renderer/issues/329

Comment 1 Guilherme de Almeida Suckevicz 2022-10-14 17:53:27 UTC
Upstream fix:
https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6

Comment 3 Guilherme de Almeida Suckevicz 2022-10-17 16:53:43 UTC
Created breeze-icon-theme tracking bugs for this issue:

Affects: epel-all [bug 2135441]
Affects: fedora-all [bug 2135447]


Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2135448]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2135449]


Created fawkes tracking bugs for this issue:

Affects: fedora-all [bug 2135450]


Created gnome-shell-extension-material-shell tracking bugs for this issue:

Affects: fedora-all [bug 2135451]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2135452]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2135442]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2135453]


Created librealsense tracking bugs for this issue:

Affects: fedora-all [bug 2135454]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2135455]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2135456]


Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135440]


Created nodejs-bash-language-server tracking bugs for this issue:

Affects: fedora-all [bug 2135457]


Created nodejs-diagnostic-language-server tracking bugs for this issue:

Affects: fedora-all [bug 2135458]


Created nodejs-minimatch tracking bugs for this issue:

Affects: epel-all [bug 2135443]


Created nodejs-nodemon tracking bugs for this issue:

Affects: fedora-all [bug 2135459]


Created nodejs-tape tracking bugs for this issue:

Affects: fedora-all [bug 2135460]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135461]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2135444]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135462]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135464]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2135445]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135465]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2135466]


Created opencc tracking bugs for this issue:

Affects: fedora-all [bug 2135467]


Created perl-Code-TidyAll tracking bugs for this issue:

Affects: fedora-all [bug 2135468]


Created python-howdoi tracking bugs for this issue:

Affects: fedora-all [bug 2135469]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2135446]
Affects: fedora-all [bug 2135470]


Created tdlib tracking bugs for this issue:

Affects: fedora-all [bug 2135471]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2135472]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2135473]

Comment 23 errata-xmlrpc 2022-12-06 15:32:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8832 https://access.redhat.com/errata/RHSA-2022:8832

Comment 24 errata-xmlrpc 2022-12-06 15:35:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:8833 https://access.redhat.com/errata/RHSA-2022:8833

Comment 25 errata-xmlrpc 2022-12-14 22:40:26 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:9040 https://access.redhat.com/errata/RHSA-2022:9040

Comment 26 errata-xmlrpc 2022-12-15 16:16:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073

Comment 38 errata-xmlrpc 2023-01-09 14:50:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050

Comment 46 errata-xmlrpc 2023-01-23 15:19:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321

Comment 47 errata-xmlrpc 2023-01-26 12:14:54 UTC
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:0471 https://access.redhat.com/errata/RHSA-2023:0471


Note You need to log in before you can comment on or make changes to this bug.