Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-25758

Опубликовано: 01 июл. 2022
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

A flaw was found in the scss-tokenizer package. Affected versions of this package are vulnerable to a regular expression denial of service (ReDoS) attacks.

Отчет

In OpenShift Service Mesh (OSSM) the vulnerable scss-tokenizer nodejs package is shipped in openshift-service-mesh/kiali-rhel8 and openshift-service-mesh/grafana-rhel8 container images. In the openshift-service-mesh/grafana-rhel8, the scss-tokenizer nodejs package is shipped as a part of the grafana rpm package, which is consumed from Red Hat Enterprise Linux (RHEL) repositories starting from OSSM 2.0.9 version. Once this vulnerability will be fixed in RHEL product, fixed version of grafana package will be consumed by OSSM and delivered in the next OSSM releases. In older versions than OSSM 2.0.9 the openshift-service-mesh/grafana-rhel8 container contains servicemesh-grafana rpm package from OSSM repositories and these versions are not supported anymore, hence the servicemesh-grafana rpm package is listed as affected with "Will not fix" state. In OSSM openshift-service-mesh/kiali-rhel8 container image, the scss-tokenizer nodejs package is only listed as a development dependency, without impact to the runtime environment, hence is marked as "Will not fix".

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 2openshift-service-mesh/kiali-rhel8Will not fix
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
OpenShift Service Mesh 2.1openshift-service-mesh/kiali-rhel8Will not fix
OpenShift Service Mesh 2.1servicemesh-grafanaAffected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/application-ui-rhel8Not affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/grc-ui-rhel8Not affected
Red Hat Ceph Storage 4cockpit-ceph-installerAffected
Red Hat Decision Manager 7scss-tokenizerOut of support scope
Red Hat Enterprise Linux 8389-ds:1.4/389-ds-baseWill not fix
Red Hat Enterprise Linux 8cockpit-podmanNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-1333
https://bugzilla.redhat.com/show_bug.cgi?id=2114794scss-tokenizer: Regular expression denial of service in scss-tokenizer

EPSS

Процентиль: 65%
0.00493
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-25758

CVSS3: 5.3
ubuntu
больше 3 лет назад

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

nvd логотип

CVE-2022-25758

CVSS3: 5.3
nvd
больше 3 лет назад

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

debian логотип

CVE-2022-25758

CVSS3: 5.3
debian
больше 3 лет назад

All versions of package scss-tokenizer are vulnerable to Regular Expre ...

github логотип

GHSA-7mwh-4pqv-wmr8

CVSS3: 7.5
github
больше 3 лет назад

Regular expression denial of service in scss-tokenizer

EPSS

Процентиль: 65%
0.00493
Низкий

5.3 Medium

CVSS3