Описание
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.
A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Applications 6 | async | Will not fix | ||
| Migration Toolkit for Applications 6 | mta/mta-ui-rhel9 | Will not fix | ||
| Migration Toolkit for Applications 7 | mta/mta-cli-rhel9 | Not affected | ||
| Migration Toolkit for Applications 7 | mta/mta-ui-rhel9 | Not affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Will not fix | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Will not fix | ||
| Node HealthCheck Operator | workload-availability/node-remediation-console-rhel8 | Will not fix | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel8 | Will not fix | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-db-migration-rhel8 | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.
EPSS
5.3 Medium
CVSS3