Bug 1212572

Summary: VUL-0: CVE-2022-25883: velociraptor: semver: Versions of the package semver before 7.5.2 are vulnerable to ReDos
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Antonio Teixeira <antonio.teixeira>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, jeffm, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370063/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1212565    

Comment 1 Cathy Hu 2023-06-21 11:31:02 UTC 
From a quick scan semver is embedded in the embedded nodejs in velociraptor:

Tracking as affected, please let me know if you think i missed anything:
- SUSE:ALP:Source:Standard:1.0/velociraptor                          0.6.7.5~git81.01be570
- openSUSE:Factory/velociraptor                                      0.6.7.5~git81.01be570

Velociraptor does not have a bugowner in ALP, so assigning to bugowner of security:sensor, please let me know if you are not the right person, then I will reassign.