CVE Vulnerabilities

CVE-2021-23362

Inefficient Regular Expression Complexity

Published: Mar 23, 2021 | Modified: Nov 21, 2024
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Weakness

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Affected Software

Name Vendor Start Version End Version
Hosted-git-info Npmjs 2.0.0 (including) 2.8.9 (excluding)
Hosted-git-info Npmjs 3.0.0 (including) 3.0.8 (excluding)
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 RedHat rhacm2/grc-ui-rhel8:v2.3.0-100 *
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 RedHat rhacm2/search-ui-rhel8:v2.3.0-59 *
Red Hat Enterprise Linux 8 RedHat nodejs:12-8040020210708131418.522a0ee4 *
Red Hat Enterprise Linux 8 RedHat nodejs:14-8040020210708154809.522a0ee4 *
Red Hat Enterprise Linux 8.1 Extended Update Support RedHat nodejs:12-8010020210817113128.c27ad7f8 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat nodejs:12-8020020210817125332.4cda2c84 *
Red Hat OpenShift Container Platform 4.8 RedHat openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs12-nodejs-0:12.22.2-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs12-nodejs-nodemon-0:2.0.3-2.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs14-nodejs-0:14.17.2-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs14-nodejs-nodemon-0:2.0.3-2.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS RedHat rh-nodejs12-nodejs-0:12.22.2-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS RedHat rh-nodejs12-nodejs-nodemon-0:2.0.3-2.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS RedHat rh-nodejs14-nodejs-0:14.17.2-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS RedHat rh-nodejs14-nodejs-nodemon-0:2.0.3-2.el7 *
Node-hosted-git-info Ubuntu bionic *
Node-hosted-git-info Ubuntu esm-apps/bionic *
Node-hosted-git-info Ubuntu esm-apps/focal *
Node-hosted-git-info Ubuntu groovy *
Node-hosted-git-info Ubuntu trusty *
Node-hosted-git-info Ubuntu upstream *

Extended Description

	  Attackers can create crafted inputs that
	  intentionally cause the regular expression to use
	  excessive backtracking in a way that causes the CPU
	  consumption to spike.

Potential Mitigations

References