Описание
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
A regular expression denial of service vulnerability was found in hosted-git-info. If an application allows user input into the affected regular expression (regexp) function, shortcutMatch or fromUrl, then an attacker could craft a regexp which takes an ever increasing amount of time to process, potentially resulting in a denial of service.
Отчет
While some components do package a vulnerable version of hosted-git-info, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:
- OpenShift Container Platform (OCP)
- OpenShift ServiceMesh (OSSM)
- Red Hat Advanced Cluster Management for Kubernetes (RHACM) Specifically the following components:
- The OCP hive-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release. Red Hat Ceph Storage (RHCS) 4 packages a version of nodejs-hosted-git-info which is vulnerable to this flaw in the grafana-container shipped with it. Red Hat Quay includes hosted-git-info as a dependency of karma-coverage which is only used at development time. The hosted-git-info library is not used at runtime so the impact is low for Red Hat Quay. Red Hat Virtualization includes a vulnerable version of hosted-git-info, however it is only used during development. The hosted-git-info library is not used at runtime thus impact is rated Low and marked as "wontfix" at this time. Future updates may address this flaw. [1] - https://access.redhat.com/solutions/5707561
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-query-rhel8 | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | application-ui | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | console-header | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | console-ui | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | grc-ui | Affected | ||
| Red Hat Ceph Storage 2 | grafana | Out of support scope | ||
| Red Hat Ceph Storage 3 | grafana | Out of support scope |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
The package hosted-git-info before 3.0.8 are vulnerable to Regular Exp ...
Regular Expression Denial of Service in hosted-git-info
Уязвимость функции fromUrl программного обеспечения hosted-git-info, связанная с неправильным регулярным выражением, позволяющая нарушителю вызвать отказ в обслуживании
5.3 Medium
CVSS3