Bug 2140597 (CVE-2022-37603) - CVE-2022-37603 loader-utils:Regular expression denial of service
Summary: CVE-2022-37603 loader-utils:Regular expression denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-37603
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2140598 2143564 2140605 2140606 2140607 2140608 2140609 2140610 2140611 2140612 2140613 2140614 2140657 2140658 2140659 2140660 2140713 2140714 2140715 2140716 2140717 2140900 2140901 2140902 2140903 2140904 2140905 2140906 2159190
Blocks: 2135074
TreeView+ depends on / blocked
 
Reported: 2022-11-07 10:39 UTC by Vipul Nair
Modified: 2023-09-01 04:19 UTC (History)
142 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
Clone Of:
Environment:
Last Closed: 2023-01-28 23:22:18 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:38:14 UTC
Red Hat Product Errata RHSA-2023:0471 0 None None None 2023-01-26 12:15:22 UTC
Red Hat Product Errata RHSA-2023:0713 0 None None None 2023-02-09 11:35:59 UTC
Red Hat Product Errata RHSA-2023:0934 0 None None None 2023-02-28 00:50:38 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:43:40 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:46:07 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:48:43 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:51:23 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 21:59:36 UTC
Red Hat Product Errata RHSA-2023:1428 0 None None None 2023-03-23 02:16:16 UTC
Red Hat Product Errata RHSA-2023:3374 0 None None None 2023-05-31 10:51:45 UTC

Description Vipul Nair 2022-11-07 10:39:14 UTC
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/

Comment 1 Vipul Nair 2022-11-07 10:41:42 UTC
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2140598]

Comment 2 Vipul Nair 2022-11-07 10:49:00 UTC
Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2140606]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2140607]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2140608]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2140609]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2140610]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2140611]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2140605]
Affects: fedora-all [bug 2140612]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2140613]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2140614]

Comment 15 errata-xmlrpc 2022-12-08 07:38:08 UTC
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781

Comment 23 errata-xmlrpc 2023-01-26 12:15:18 UTC
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:0471 https://access.redhat.com/errata/RHSA-2023:0471

Comment 24 Product Security DevOps Team 2023-01-28 23:22:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-37603

Comment 25 errata-xmlrpc 2023-02-09 11:35:53 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.1

Via RHSA-2023:0713 https://access.redhat.com/errata/RHSA-2023:0713

Comment 26 errata-xmlrpc 2023-02-28 00:50:31 UTC
This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934

Comment 27 errata-xmlrpc 2023-03-01 21:43:33 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043

Comment 28 errata-xmlrpc 2023-03-01 21:46:00 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044

Comment 29 errata-xmlrpc 2023-03-01 21:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045

Comment 30 errata-xmlrpc 2023-03-01 21:51:17 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047

Comment 31 errata-xmlrpc 2023-03-01 21:59:30 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049

Comment 32 errata-xmlrpc 2023-03-23 02:16:12 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428

Comment 34 errata-xmlrpc 2023-05-31 10:51:39 UTC
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:3374 https://access.redhat.com/errata/RHSA-2023:3374


Note You need to log in before you can comment on or make changes to this bug.