CVE-2021-23362

Public on

Last Modified: UTC

ModerateModerate ImpactWhat does this mean?
DescriptionStatementAdditional informationAffected PackagesCVSS Score DetailsWeakness (CWE)FAQ

Description

A regular expression denial of service vulnerability was found in hosted-git-info. If an application allows user input into the affected regular expression (regexp) function, `shortcutMatch` or `fromUrl`, then an attacker could craft a regexp which takes an ever increasing amount of time to process, potentially resulting in a denial of service.

A regular expression denial of service vulnerability was found in hosted-git-info. If an application allows user input into the affected regular expression (regexp) function, shortcutMatch or fromUrl, then an attacker could craft a regexp which takes an ever increasing amount of time to process, potentially resulting in a denial of service.

Statement

While some components do package a vulnerable version of hosted-git-info, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products: - OpenShift Container Platform (OCP) - OpenShift ServiceMesh (OSSM) - Red Hat Advanced Cluster Management for Kubernetes (RHACM) Specifically the following components: - The OCP hive-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release. Red Hat Ceph Storage (RHCS) 4 packages a version of nodejs-hosted-git-info which is vulnerable to this flaw in the grafana-container shipped with it. Red Hat Quay includes hosted-git-info as a dependency of karma-coverage which is only used at development time. The hosted-git-info library is not used at runtime so the impact is low for Red Hat Quay. Red Hat Virtualization includes a vulnerable version of hosted-git-info, however it is only used during development. The hosted-git-info library is not used at runtime thus impact is rated Low and marked as "wontfix" at this time. Future updates may address this flaw. [1] - https://access.redhat.com/solutions/5707561

While some components do package a vulnerable version of hosted-git-info, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:

  • OpenShift Container Platform (OCP)
  • OpenShift ServiceMesh (OSSM)
  • Red Hat Advanced Cluster Management for Kubernetes (RHACM)

Specifically the following components:

  • The OCP hive-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release.

Red Hat Ceph Storage (RHCS) 4 packages a version of nodejs-hosted-git-info which is vulnerable to this flaw in the grafana-container shipped with it.

Red Hat Quay includes hosted-git-info as a dependency of karma-coverage which is only used at development time. The hosted-git-info library is not used at runtime so the impact is low for Red Hat Quay.

Red Hat Virtualization includes a vulnerable version of hosted-git-info, however it is only used during development. The hosted-git-info library is not used at runtime thus impact is rated Low and marked as "wontfix" at this time. Future updates may address this flaw.

[1] - https://access.redhat.com/solutions/5707561

Additional information

  • Bugzilla 1943208: nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()
  • CWE-400: Uncontrolled Resource Consumption
  • FAQ: Frequently asked questions about CVE-2021-23362

Common Vulnerability Scoring System (CVSS) Score Details

Important note

CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).

CVSS v3 Score Breakdown
Red HatNVD

CVSS v3 Base Score

5.3

5.3

Attack Vector

Network

Network

Attack Complexity

Low

Low

Privileges Required

None

None

User Interaction

None

None

Scope

Unchanged

Unchanged

Confidentiality Impact

None

None

Integrity Impact

None

None

Availability Impact

Low

Low

CVSS v3 Vector

Red Hat: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

NVD: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Understanding the Weakness (CWE)

CWE-400

Availability

Technical Impact: DoS: Crash, Exit, or Restart; DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory); DoS: Resource Consumption (Other)

If an attacker can trigger the allocation of the limited resources, but the number or size of the resources is not controlled, then the most common result is denial of service. This would prevent valid users from accessing the product, and it could potentially have an impact on the surrounding environment, i.e., the product may slow down, crash due to unhandled errors, or lock out legitimate users. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.

Access Control,Other

Technical Impact: Bypass Protection Mechanism; Other

In some cases it may be possible to force the product to "fail open" in the event of resource exhaustion. The state of the product -- and possibly the security functionality - may then be compromised.

Frequently Asked Questions

Why is Red Hat's CVSS v3 score or Impact different from other vendors?

My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?

What can I do if my product is listed as "Will not fix"?

What can I do if my product is listed as "Fix deferred"?

What is a mitigation?

I have a Red Hat product but it is not in the above list, is it affected?

Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?

Want to get errata notifications? Sign up here.