Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-28469

Опубликовано: 12 янв. 2021
Источник: redhat
CVSS3: 7.5

Описание

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

A flaw was found in nodejs-glob-parent. The enclosure regex used to check for glob enclosures containing backslashes is vulnerable to Regular Expression Denial of Service attacks. This flaw allows an attacker to cause a denial of service if they can supply a malicious string to the glob-parent function. The highest threat from this vulnerability is to system availability.

Отчет

While some components do package a vulnerable version of glob-parent, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:

  • OpenShift Container Platform (OCP)
  • OpenShift ServiceMesh (OSSM)
  • Red Hat Advanced Cluster Management for Kubernetes (RHACM)
  • OpenShift distributed tracing

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
OpenShift Service Mesh 2.0servicemesh-prometheusWill not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/application-ui-rhel8Fix deferred
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-api-rhel8Fix deferred
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-header-rhel8Affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-rhel8Fix deferred
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-ui-rhel8Not affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/mcm-topology-api-rhel8Affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/mcm-topology-rhel8Affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/search-ui-rhel8Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1945459nodejs-glob-parent: Regular expression denial of service

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-28469

CVSS3: 5.3
ubuntu
около 4 лет назад

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

nvd логотип

CVE-2020-28469

CVSS3: 5.3
nvd
около 4 лет назад

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

debian логотип

CVE-2020-28469

CVSS3: 5.3
debian
около 4 лет назад

This affects the package glob-parent before 5.1.2. The enclosure regex ...

github логотип

GHSA-ww39-953v-wcq6

CVSS3: 7.5
github
около 4 лет назад

glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex

rocky логотип

RLSA-2021:5171

rocky
больше 3 лет назад

Moderate: nodejs:16 security, bug fix, and enhancement update

7.5 High

CVSS3