Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2024-45296

Inefficient Regular Expression Complexity

Published: Sep 09, 2024 | Modified: Sep 10, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2024-45296
CWEhttps://cwe.mitre.org/data/definitions/1333.html

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Weakness

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Affected Software

Name Vendor Start Version End Version
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-cli-rhel9:v1.7.0-67 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-console-plugin-rhel9:v1.7.0-67 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-ebpf-agent-rhel9:v1.7.0-67 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-flowlogs-pipeline-rhel9:v1.7.0-67 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-operator-bundle:1.7.0-86 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-rhel9-operator:v1.7.0-67 *
Red Hat OpenShift Container Platform 4.16 RedHat openshift4/ose-monitoring-plugin-rhel9:v4.16.0-202410021704.p0.g6a049e3.assembly.stream.el9 *
Red Hat OpenShift Container Platform 4.17 RedHat openshift4/ose-monitoring-plugin-rhel9:v4.17.0-202410091535.p0.gc7bc7fc.assembly.stream.el9 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/argocd-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/argo-rollouts-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/console-plugin-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/dex-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/gitops-operator-bundle:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/gitops-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/gitops-rhel8-operator:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/kam-delivery-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/must-gather-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-argocd-rhel9-container-v1.13.2-5 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/grafana-rhel8:2.6.2-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/istio-cni-rhel8:2.6.2-5 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/istio-must-gather-rhel8:2.6.2-4 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/istio-rhel8-operator:2.6.2-5 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/kiali-ossmc-rhel8:1.89.2-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/kiali-rhel8:1.89.4-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/kiali-rhel8-operator:1.89.6-1 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/pilot-rhel8:2.6.2-5 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/ratelimit-rhel8:2.6.2-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 9 RedHat openshift-service-mesh/proxyv2-rhel9:2.6.2-7 *
RHODF-4.17-RHEL-9 RedHat odf4/mcg-core-rhel9:v4.17.0-69 *
RHODF-4.17-RHEL-9 RedHat odf4/ocs-client-console-rhel9:v4.17.0-53 *
RHODF-4.17-RHEL-9 RedHat odf4/odf-console-rhel9:v4.17.0-53 *
RHODF-4.17-RHEL-9 RedHat odf4/odf-multicluster-console-rhel9:v4.17.0-53 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/cluster-logging-operator-bundle:v5.9.7-11 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/cluster-logging-rhel9-operator:v5.9.7-6 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/eventrouter-rhel9:v0.4.0-301 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/fluentd-rhel9:v5.9.7-3 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-282 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/logging-loki-rhel9:v3.1.1-10 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/logging-view-plugin-rhel9:v5.9.7-5 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/loki-operator-bundle:v5.9.7-16 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/loki-rhel9-operator:v5.9.7-7 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/lokistack-gateway-rhel9:v0.1.0-653 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/opa-openshift-rhel9:v0.1.0-288 *
RHOL-5.9-RHEL-9 RedHat openshift-logging/vector-rhel9:v0.34.1-19 *

Extended Description

	  Attackers can create crafted inputs that
	  intentionally cause the regular expression to use
	  excessive backtracking in a way that causes the CPU
	  consumption to spike.

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use