Bug 2140597 (CVE-2022-37603) - CVE-2022-37603 loader-utils:Regular expression denial of service
Summary: CVE-2022-37603 loader-utils:Regular expression denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-37603
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2140598 2140606 2140607 2140608 2140609 2140613 2140614 2140713 2140714 2140715 2140716 2140717 2140900 2143564 2159190 2140605 2140610 2140611 2140612 2140657 2140658 2140659 2140660 2140901 2140902 2140903 2140904 2140905 2140906
Blocks: 2135074
TreeView+ depends on / blocked
 
Reported: 2022-11-07 10:39 UTC by Vipul Nair
Modified: 2023-01-28 23:22 UTC (History)
140 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
Clone Of:
Environment:
Last Closed: 2023-01-28 23:22:18 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:38:14 UTC
Red Hat Product Errata RHSA-2023:0471 0 None None None 2023-01-26 12:15:22 UTC

Description Vipul Nair 2022-11-07 10:39:14 UTC
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/

Comment 1 Vipul Nair 2022-11-07 10:41:42 UTC
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2140598]

Comment 2 Vipul Nair 2022-11-07 10:49:00 UTC
Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2140606]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2140607]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2140608]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2140609]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2140610]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2140611]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2140605]
Affects: fedora-all [bug 2140612]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2140613]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2140614]

Comment 15 errata-xmlrpc 2022-12-08 07:38:08 UTC
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781

Comment 23 errata-xmlrpc 2023-01-26 12:15:18 UTC
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:0471 https://access.redhat.com/errata/RHSA-2023:0471

Comment 24 Product Security DevOps Team 2023-01-28 23:22:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-37603


Note You need to log in before you can comment on or make changes to this bug.