Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-23364

Опубликовано: 28 апр. 2021
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Regular Expression Denial of Service (ReDoS) vulnerability was found in browserslist library. An attacker can use this vulnerability to parse a query which potentially can lead to service degradation.

Отчет

While some components do package a vulnerable version of nodejs browserslist library, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:

  • OpenShift Container Platform (OCP)
  • OpenShift ServiceMesh (OSSM)
  • Red Hat Advanced Cluster Management for Kubernetes (RHACM) In Red Had Quay , whilst a vulnerable version of browserslist is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 2.0servicemesh-grafanaAffected
OpenShift Service Mesh 2.0servicemesh-prometheusAffected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/application-ui-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-header-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-ui-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/grc-ui-api-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/grc-ui-rhel8Not affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/mcm-topology-api-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/mcm-topology-rhel8Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1955619browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)

EPSS

Процентиль: 59%
0.00385
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-23364

CVSS3: 5.3
ubuntu
почти 5 лет назад

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

nvd логотип

CVE-2021-23364

CVSS3: 5.3
nvd
почти 5 лет назад

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

debian логотип

CVE-2021-23364

CVSS3: 5.3
debian
почти 5 лет назад

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable t ...

github логотип

GHSA-w8qv-6jwh-64r5

CVSS3: 5.3
github
больше 4 лет назад

Regular Expression Denial of Service in browserslist

EPSS

Процентиль: 59%
0.00385
Низкий

5.3 Medium

CVSS3