Описание
axios is vulnerable to Inefficient Regular Expression Complexity
A Regular Expression Denial of Service (ReDoS) vulnerability was found in the nodejs axios. This flaw allows an attacker to provide crafted input to the trim function, which might cause high resources consumption and as a consequence lead to denial of service. The highest threat from this vulnerability is system availability.
Отчет
- OpenShift Container Platform (OCP) grafana-container does package a vulnerable version of nodejs axios. However, due to the instance being read only and behind OpenShift OAuth, the impact of this vulnerability is Low.
- Red Hat Advanced Cluster Management for Kubernetes (RHACM) 2.1 and previous versions does contain a vulnerable version of nodejs axios, RHACM 2.2 on towards are not affected versions. For RHACM 2.1, due to the instance being read only and behind OAuth, the impact of this vulnerability is Low.
- Because Service Telemetry Framework 1.2 will be retiring soon and the flaw's impact is lower, no update will be provided at this time for STF's service-telemetry-operator-container and smart-gateway-operator-container.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | kiali | Out of support scope | ||
| OpenShift Service Mesh 1 | servicemesh-grafana | Out of support scope | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/application-ui-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-header-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-ui-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/grc-ui-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/kui-web-terminal-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-ui-rhel8 | Fix deferred |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1999784nodejs-axios: Regular expression denial of service in trim function
7.5 High
CVSS3
Связанные уязвимости
CVSS3: 7.5
ubuntu
больше 4 лет назад
axios is vulnerable to Inefficient Regular Expression Complexity
CVSS3: 7.5
nvd
больше 4 лет назад
axios is vulnerable to Inefficient Regular Expression Complexity
CVSS3: 7.5
debian
больше 4 лет назад
axios is vulnerable to Inefficient Regular Expression Complexity
CVSS3: 7.5
github
больше 4 лет назад
axios Inefficient Regular Expression Complexity vulnerability
7.5 High
CVSS3