Bug 1218843 (CVE-2020-7753)

Summary:	VUL-0: CVE-2020-7753: grafana: nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P5 - None	CC:	carlos.lopez
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/270265/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-01-16 12:14:26 UTC

All versions of package trim are vulnerable to Regular Expression Denial of
Service (ReDoS) via trim().

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7753
https://www.cve.org/CVERecord?id=CVE-2020-7753
https://github.com/component/trim/blob/master/index.js%23L6
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132
https://snyk.io/vuln/SNYK-JS-TRIM-1017038
https://bugzilla.redhat.com/show_bug.cgi?id=1891860
https://github.com/component/trim/blob/master/index.js
https://lists.apache.org/thread.html/r10faad1ef9166d37a1a5c9142b1af7099b8ecdc5ad05c51b8ea993d9@%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/r51ff3c2a4c7b8402f321eae7e624672cc2295c7bc8c12c8b871f6b0b@%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/rcc7c2865a52b544a8e49386c6880e9b9ab29bfce1052b5569d09ee4a@%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/r75b8d0b88833d7d96afcdce3ead65e212572ead4e7a9f34d21040196@%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/rb8462df3b6484e778905c09cd49a8912e1a302659860017ebe36da03@%3Ccommits.airflow.apache.org%3E
http://www.cvedetails.com/cve/CVE-2020-7753/

Comment 1 Carlos López 2024-01-16 12:14:46 UTC

Already fixed.

Comment 3 Maintenance Automation 2024-01-23 20:30:20 UTC

SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed.

Category: security (moderate)
Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791
Sources used:
SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1
SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Maintenance Automation 2024-01-23 20:30:50 UTC

SUSE-SU-2024:0191-1: An update that solves 45 vulnerabilities, contains 17 features and has 30 security fixes can now be installed.

Category: security (moderate)
Bug References: 1047218, 1172110, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1194873, 1195726, 1195727, 1195728, 1196338, 1196652, 1197507, 1198903, 1199810, 1200480, 1200591, 1200725, 1201003, 1201059, 1201535, 1201539, 1203283, 1203596, 1203597, 1203599, 1204032, 1204089, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208051, 1208060, 1208062, 1208064, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-39226, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-23552, CVE-2022-27191, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128, CVE-2023-40577
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3578, PED-3694, PED-4556, PED-5405, PED-5406, PED-7353, SLE-23422, SLE-23439, SLE-24238, SLE-24239, SLE-24565, SLE-24791, SUMA-114
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src): rhnlib-5.0.1-24.30.3, spacecmd-5.0.1-41.42.3, grafana-9.5.8-4.21.2, prometheus-postgres_exporter-0.10.1-3.6.4, golang-github-prometheus-node_exporter-1.5.0-4.15.4, golang-github-QubitProducts-exporter_exporter-0.4.0-4.6.2, system-user-grafana-1.0.0-3.7.2, kiwi-desc-saltboot-0.1.1687520761.cefb248-4.15.2, golang-github-prometheus-prometheus-2.45.0-4.33.3, supportutils-plugin-susemanager-client-5.0.1-9.15.2, uyuni-common-libs-5.0.1-3.33.3, prometheus-blackbox_exporter-0.24.0-3.6.3, golang-github-lusitaniae-apache_exporter-1.0.0-4.12.4, golang-github-prometheus-alertmanager-0.26.0-4.12.4, system-user-prometheus-1.0.0-3.7.2, python-hwdata-2.3.5-15.12.2, golang-github-boynux-squid_exporter-1.6-4.9.2, supportutils-plugin-salt-1.2.2-9.9.2, golang-github-prometheus-promu-0.14.0-4.12.2, mgr-push-5.0.1-4.21.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Maintenance Automation 2024-02-15 16:30:59 UTC

SUSE-RU-2024:0511-1: An update that solves five vulnerabilities and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1192154, 1192696, 1200480, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-0155
Jira References: MSQA-719
Sources used:
openSUSE Leap 15.5 (src): grafana-9.5.8-150200.3.53.2
SUSE Package Hub 15 15-SP5 (src): grafana-9.5.8-150200.3.53.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Maintenance Automation 2024-02-15 16:32:02 UTC

SUSE-SU-2024:0487-1: An update that solves eight vulnerabilities and contains one feature can now be installed.

Category: security (moderate)
Bug References: 1192154, 1192696, 1193492, 1193686, 1200480, 1204023, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2021-43798, CVE-2021-43815, CVE-2022-0155, CVE-2022-41715
Jira References: MSQA-719
Sources used:
openSUSE Leap 15.5 (src): golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.20.1, spacecmd-4.3.26-150000.3.113.1, prometheus-postgres_exporter-0.10.1-150000.1.17.1
SUSE Manager Client Tools for SLE 15 (src): spacewalk-client-tools-4.3.18-150000.3.86.2, mgr-daemon-4.3.8-150000.1.44.1, uyuni-proxy-systemd-services-4.3.10-150000.1.15.1, spacecmd-4.3.26-150000.3.113.1, golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.20.1, golang-github-prometheus-prometheus-2.45.0-150000.3.53.1, grafana-9.5.8-150000.1.60.2, prometheus-postgres_exporter-0.10.1-150000.1.17.1
SUSE Manager Client Tools for SLE Micro 5 (src): uyuni-proxy-systemd-services-4.3.10-150000.1.15.1
SUSE Manager Proxy 4.3 Module 4.3 (src): golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.20.1
SUSE Manager Server 4.3 Module 4.3 (src): golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Maintenance Automation 2024-02-15 16:32:07 UTC

SUSE-SU-2024:0486-1: An update that solves nine vulnerabilities and contains two features can now be installed.

Category: security (moderate)
Bug References: 1192154, 1192696, 1193492, 1193686, 1200480, 1204023, 1218838, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2021-43798, CVE-2021-43815, CVE-2022-0155, CVE-2022-41715, CVE-2023-40577
Jira References: MSQA-719, PED-7353
Sources used:
SUSE Manager Client Tools for SLE 12 (src): spacewalk-client-tools-4.3.18-52.95.2, mgr-daemon-4.3.8-1.44.2, golang-github-prometheus-alertmanager-0.26.0-1.24.2, golang-github-lusitaniae-apache_exporter-1.0.0-1.21.2, grafana-9.5.8-1.60.1, spacecmd-4.3.26-38.136.2, golang-github-prometheus-prometheus-2.45.0-1.50.2, prometheus-postgres_exporter-0.10.1-1.17.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Maintenance Automation 2024-03-04 12:30:09 UTC

SUSE-RU-2024:0746-1: An update that contains two features and has nine fixes can now be installed.

Category: recommended (moderate)
Bug References: 1192154, 1192696, 1193492, 1193686, 1200480, 1204023, 1218838, 1218843, 1218844
Jira References: MSQA-720, PED-7843
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src): golang-github-prometheus-prometheus-2.45.0-4.36.1, spacewalk-client-tools-5.0.3-55.48.1, supportutils-plugin-susemanager-client-5.0.2-9.18.1, rhnlib-5.0.2-24.33.1, uyuni-tools-0.1.4-3.3.1, golang-github-prometheus-alertmanager-0.26.0-4.15.1, uyuni-common-libs-5.0.2-3.36.1, grafana-9.5.8-4.24.1, spacecmd-5.0.4-41.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Maintenance Automation 2024-03-04 12:30:14 UTC

SUSE-RU-2024:0745-1: An update that contains two features and has eight fixes can now be installed.

Category: recommended (moderate)
Bug References: 1192154, 1192696, 1193492, 1193686, 1200480, 1204023, 1218843, 1218844
Jira References: MSQA-720, PED-7843
Sources used:
SUSE Manager Client Tools Beta for SLE 15 (src): supportutils-plugin-susemanager-client-5.0.2-159000.6.18.1, grafana-9.5.8-159000.4.27.1, uyuni-tools-0.1.4-159000.3.3.1, uyuni-common-libs-5.0.2-159000.3.36.1, golang-github-prometheus-prometheus-2.45.0-159000.6.36.1, spacecmd-5.0.4-159000.6.45.1, spacewalk-client-tools-5.0.3-159000.6.51.1, rhnlib-5.0.2-159000.6.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.