Описание
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
A regular expression denial of service (ReDoS) vulnerability was found in the npm library postcss when using getAnnotationURL() or loadAnnotation() options in lib/previous-map.js. An attacker can use this vulnerability to potentially craft a malicious CSS to process resulting in a denial of service.
Отчет
In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.
Red Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.
In Red Had Quay , whilst a vulnerable version of postcss is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | application-ui | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | console-header | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | console-ui | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | mcm-topology | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | search-ui | Fix deferred | ||
| Red Hat Ansible Automation Platform 1.2 | postcss | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | kibana | Not affected |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
The package postcss before 8.2.13 are vulnerable to Regular Expression ...
5.3 Medium
CVSS3