Bug 1212573

Summary:	VUL-0: CVE-2022-25883: cockpit,cockpit-tukit,cockpit-podman,cockpit-machines: semver: Versions of the package semver before 7.5.2 are vulnerable to ReDos
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Cathy Hu <cathy.hu>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	luna.dragon, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/370063/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1212565

Description Cathy Hu 2023-06-21 11:40:10 UTC

+++ This bug was initially created as a clone of Bug #1212565 +++

CVE-2022-25883

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression
Denial of Service (ReDoS) via the function new Range, when untrusted user data
is provided as a range.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25883
https://www.cve.org/CVERecord?id=CVE-2022-25883
https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
https://github.com/npm/node-semver/pull/564
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795

Comment 1 Cathy Hu 2023-06-21 11:42:50 UTC

From a quick scan, semver is embedded in the following codestreams, so tracking as affected:

- SUSE:SLE-15-SP3:Update:Products:MicroOS51:Update/cockpit                                    
- SUSE:SLE-15-SP3:Update:Products:MicroOS51:Update/cockpit-podman    
                                                                                              
- SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit
- SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-machines                           
- SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-podman                             
- SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-tukit                              
                                                                                          
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-machines    
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-podman
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-tukit
                                                                                          
- SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit
- SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-machines    
- SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-podman
- SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-tukit
                                                                                          
- openSUSE:Factory/cockpit                                           
- openSUSE:Factory/cockpit-machines                                  
- openSUSE:Factory/cockpit-podman                                    
- openSUSE:Factory/cockpit-tukit


Please let me know in case this is not affecting the cockpit parts and is not used and shipped, then i will adjust the tracking.

Comment 2 Luna D Dragon 2023-06-22 01:52:24 UTC

From a initial glance, this is not directly used in any package mentioned and is not a issue, will confirm with upstream. (Cockpit-tukit is definitely not exposed)

Comment 3 Luna D Dragon 2023-06-22 04:49:06 UTC

confirmed with upstream. semver is used as a build time dependency and hence the cve does not affect cockpit

Comment 4 Cathy Hu 2023-06-22 09:23:51 UTC

okay, thanks, closing