Описание
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
A flaw was found in nodejs-ua-parser-js. The software is vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes.
Отчет
Red Hat OpenShift Container Platform 4 delivers the kibana package where the ua-parser-js library is bundled, but during the update to container first (to openshift4/ose-logging-kibana6) the dependency was removed and hence kibana package is marked as wontfix. This may be fixed in the future. Red Hat Ceph Storage 3 and 4 ship a version of grafana that pulls a version of ua-parser-js (0.7.9) that uses the affected code.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel7 | Out of support scope | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-query-rhel7 | Out of support scope | ||
| OpenShift Service Mesh 1 | servicemesh-grafana | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | nodejs-ua-parser-js | Fix deferred | ||
| Red Hat Ceph Storage 3 | grafana | Affected | ||
| Red Hat Ceph Storage 3 | grafana-container | Affected | ||
| Red Hat Ceph Storage 4 | rhceph/rhceph-4-dashboard-rhel8 | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | kibana | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/grafana | Not affected | ||
| Red Hat OpenShift Container Platform 4 | kibana | Will not fix |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expre ...
ua-parser-js Regular Expression Denial of Service vulnerability
Уязвимость библиотеки ua-parser-js прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3