Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-central-db-rhel8:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-collector-rhel8:4.5.3-2 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.3-2 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-operator-bundle:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-rhel8-operator:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-roxctl-rhel8:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.5.3-2 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-scanner-rhel8:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.5 | RedHat | advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.3-3 | * |
Red Hat Advanced Cluster Security 4.6 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.6.0-6 | * |
Red Hat Trusted Profile Analyzer 1.1 | RedHat | registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:9142fe58fad28a8b469b17bdd84fe6bbcb6830811a3b31c671142ce109739455 | * |
Node-async | Ubuntu | mantic | * |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.