CVE-2022-38900

Опубликовано: 28 нояб. 2022

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.

Отчет

For OpenShift Container Platform (OCP), Advanced Clusters Management for Kubernetes (ACM) and Advanced Cluster Security (ACS), the NPM decode-uri-component package is only present in source repositories as a development dependency, it is not used in production. Therefore this vulnerability is rated Low for OCP and ACS. In Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the decode-uri-component package. The vulnerable code is not used, hence the impact to OpenShift Logging by this vulnerability is Low.

Затронутые пакеты

Платформа	Пакет	Состояние
Logging Subsystem for Red Hat OpenShift	openshift-logging/kibana6-rhel8	Not affected
Migration Toolkit for Applications 6	mta/mta-ui-rhel9	Affected
Migration Toolkit for Virtualization	migration-toolkit-virtualization/mtv-ui-rhel8	Affected
OpenShift Developer Tools and Services	odo	Affected
OpenShift Pipelines	openshift-pipelines/pipelines-hub-ui-rhel8	Affected
OpenShift Service Mesh 2	openshift-service-mesh/kiali-rhel8	Not affected
OpenShift Service Mesh 2.1	openshift-service-mesh/kiali-rhel8	Affected
OpenShift Service Mesh 2.1	servicemesh-grafana	Affected
OpenShift Service Mesh 2.1	servicemesh-prometheus	Not affected
Red Hat Advanced Cluster Management for Kubernetes 2	rhacm2/console-rhel8	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=2170644decode-uri-component: improper input validation resulting in DoS

EPSS

Процентиль: 55%

0.00329

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2022-38900

CVSS3: 7.5

nvd

больше 2 лет назад

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

GHSA-w573-4hg7-7wgq

CVSS3: 7.5

github

больше 2 лет назад

decode-uri-component vulnerable to Denial of Service (DoS)

ELSA-2023-6316

oracle-oval

больше 1 года назад

ELSA-2023-6316: pcs (LOW)

BDU:2024-05189

CVSS3: 7.5

fstec

почти 3 года назад

Уязвимость функции decodeComponents() декодера URI компонентов decode-uri-component, позволяющая нарушителю вызвать отказ в обслуживании

ELSA-2023-1743

oracle-oval

около 2 лет назад

ELSA-2023-1743: nodejs:14 security, bug fix, and enhancement update (IMPORTANT)

EPSS

Процентиль: 55%

0.00329

Низкий

7.5 High

CVSS3