Описание
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
A regular expression denial of service (ReDoS) vulnerability was found in the npm library postcss. When parsing a supplied CSS string, if it contains an unexpected value then as the supplied CSS grows in length it will take an ever increasing amount of time to process. An attacker can use this vulnerability to potentially craft a malicious a long CSS value to process resulting in a denial of service.
Отчет
In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.
Red Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.
In Red Had Quay , whilst a vulnerable version of postcss is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.
In Red Hat Virtualization a vulnerable version of postcss is used in cockpit-ovirt, ovirt-web-ui and ovirt-engine-ui-extensions. However, it is only used during development and is used to process known CSS content. This flaw has been marked as "wontfix" and it may be addressed in future updates.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | application-ui | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | console | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | search-ui | Fix deferred | ||
| Red Hat Ansible Automation Platform 1.2 | postcss | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | kibana | Not affected | ||
| Red Hat OpenShift Container Platform 4 | golang-github-prometheus-prometheus | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | kibana | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Reg ...
Regular Expression Denial of Service in postcss
Уязвимость библиотеки PostCSS прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
5.3 Medium
CVSS3