Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-25883

Опубликовано: 21 июн. 2023
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service.

Отчет

Red Hat Advanced Cluster Management for Kubernetes-2 and Red Hat Advanced Cluster Security-3 has been marked as Low severity because node-semver is a Dev dependency for those, used only during the build process, and not used in customer environments. In Red Hat Advanced Cluster Management for Kubernetes (RHACM) the server-regexp dependency is protected by OAuth what is reducing impact by this flaw to Low.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Cryostat 2nodejs-semverNot affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Not affected
Migration Toolkit for Applications 6mta/mta-ui-rhel9Will not fix
Migration Toolkit for Virtualizationmigration-toolkit-virtualization/mtv-ui-rhel8Will not fix
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-ui-rhel8Affected
OpenShift Serverlessnodejs-semverAffected
OpenShift Service Mesh 2openshift-service-mesh/kiali-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2acm-cluster-templates-console-plugin-containerFix deferred
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/search-api-rhel8Fix deferred
Red Hat Advanced Cluster Security 3advanced-cluster-security/rhacs-main-rhel8Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-1333
https://bugzilla.redhat.com/show_bug.cgi?id=2216475nodejs-semver: Regular expression denial of service

EPSS

Процентиль: 54%
0.00308
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-25883

CVSS3: 5.3
ubuntu
почти 2 года назад

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

nvd логотип

CVE-2022-25883

CVSS3: 5.3
nvd
почти 2 года назад

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

msrc логотип

CVE-2022-25883

CVSS3: 7.5
msrc
почти 2 года назад

Описание отсутствует

debian логотип

CVE-2022-25883

CVSS3: 5.3
debian
почти 2 года назад

Versions of the package semver before 7.5.2 are vulnerable to Regular ...

github логотип

GHSA-c2qf-rxjj-qqgw

CVSS3: 7.5
github
почти 2 года назад

semver vulnerable to Regular Expression Denial of Service

EPSS

Процентиль: 54%
0.00308
Низкий

7.5 High

CVSS3