The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. https://devhub.checkmarx.com/cve-details/CVE-2024-4067/ https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448 https://github.com/micromatch/micromatch/issues/243 https://github.com/micromatch/micromatch/pull/247
Created ansible tracking bugs for this issue: Affects: epel-all [bug 2280765] Affects: fedora-all [bug 2280769] Created breeze-icon-theme tracking bugs for this issue: Affects: fedora-all [bug 2280770] Created cachelib tracking bugs for this issue: Affects: fedora-all [bug 2280771] Created fbthrift tracking bugs for this issue: Affects: fedora-all [bug 2280772] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2280764] Affects: epel-all [bug 2280766] Created golang-github-task tracking bugs for this issue: Affects: fedora-all [bug 2280773] Created h3 tracking bugs for this issue: Affects: fedora-all [bug 2280774] Created mozjs78 tracking bugs for this issue: Affects: fedora-all [bug 2280775] Created nodejs-bash-language-server tracking bugs for this issue: Affects: fedora-all [bug 2280776] Created nodejs-diagnostic-language-server tracking bugs for this issue: Affects: fedora-all [bug 2280778] Created onnxruntime tracking bugs for this issue: Affects: fedora-all [bug 2280779] Created pgadmin4 tracking bugs for this issue: Affects: fedora-all [bug 2280781] Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 2280782] Created qt6-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2280783] Created rstudio tracking bugs for this issue: Affects: fedora-all [bug 2280784] Created seamonkey tracking bugs for this issue: Affects: epel-all [bug 2280767] Affects: fedora-all [bug 2280785] Created yarnpkg tracking bugs for this issue: Affects: epel-all [bug 2280768] Affects: fedora-all [bug 2280786]
This issue has been addressed in the following products: Red Hat Satellite 6.16 for RHEL 8 Red Hat Satellite 6.16 for RHEL 9 Via RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906
This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.6 Via RHSA-2024:10775 https://access.redhat.com/errata/RHSA-2024:10775