Описание
find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a - at the end, like /:a-:b-. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.
A regular expression denial of service (ReDoS) flaw was found in find-my-way. A bad regular expression is generated any time one has two parameters within a single segment, when adding a - at the end, such as /:a-:b-. This issue may cause a denial of service in some instances.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift AI (RHOAI) | odh-dashboard-container | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-operator-container | Not affected | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-dashboard-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-operator-rhel8 | Not affected | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-rhel8-operator | Not affected | ||
| multicluster engine for Kubernetes 2.6 for RHEL 8 | multicluster-engine/assisted-image-service-rhel8 | Fixed | RHSA-2024:11293 | 17.12.2024 |
| multicluster engine for Kubernetes 2.6 for RHEL 8 | multicluster-engine/assisted-installer-agent-rhel8 | Fixed | RHSA-2024:11293 | 17.12.2024 |
| multicluster engine for Kubernetes 2.6 for RHEL 8 | multicluster-engine/assisted-installer-controller-rhel8 | Fixed | RHSA-2024:11293 | 17.12.2024 |
| multicluster engine for Kubernetes 2.6 for RHEL 8 | multicluster-engine/assisted-installer-rhel8 | Fixed | RHSA-2024:11293 | 17.12.2024 |
| multicluster engine for Kubernetes 2.6 for RHEL 8 | multicluster-engine/assisted-service-8-rhel8 | Fixed | RHSA-2024:11293 | 17.12.2024 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.
find-my-way has a ReDoS vulnerability in multiparametric routes
Уязвимость HTTP-маршрутизатора Find my Way, связанная с использованием регулярного выражения c неэффективной вычислительной сложностью, позволяющая нарушителю вызвать отказ в обслуживании (ReDos)
EPSS
7.5 High
CVSS3