|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-4068: cockpit,cockpit-agama,cockpit-machines,cockpit-podman,cockpit-tukit: the npm package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED UPSTREAM | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P3 - Medium | CC: | gabriele.sonnu, jzerebecki, luna.dragon, miika.alikirri |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/405385/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2024-4068:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1224256 | ||
|
Description
SMASH SMASH
2024-05-15 11:34:08 UTC
A vulnerable version (3.0.2) of the braces package is embedded in: - openSUSE:Factory/cockpit-agama - SUSE:ALP:Source:Standard:1.0/cockpit-agama - openSUSE:Factory/cockpit-machines - SUSE:ALP:Source:Standard:1.0/cockpit-machines - SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-machines - SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-machines - SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-machines - SUSE:SLE-15-SP5:Update:Products:Micro55:Update/cockpit-machines - openSUSE:Factory/cockpit-podman - SUSE:ALP:Source:Standard:1.0/cockpit-podman - SUSE:SLE-15-SP3:Update:Products:MicroOS51:Update/cockpit-podman - SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-podman - SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-podman - SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-podman - SUSE:SLE-15-SP5:Update:Products:Micro55:Update/cockpit-podman - openSUSE:Factory/cockpit-tukit - SUSE:ALP:Source:Standard:1.0/cockpit-tukit - SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-tukit - SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-tukit - SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-tukit - SUSE:SLE-15-SP5:Update:Products:Micro55:Update/cockpit-tukit - openSUSE:Factory/cockpit - SUSE:ALP:Source:Standard:1.0/cockpit - SUSE:SLE-15-SP3:Update:Products:MicroOS51:Update/cockpit - SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit - SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit - SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit - SUSE:SLE-15-SP5:Update:Products:Micro55:Update/cockpit Upstream issue: https://github.com/micromatch/braces/issues/35 I checked https://github.com/cockpit-project/cockpit/blob/main/package.json and it does not contain braces and the braces in https://build.opensuse.org/projects/openSUSE:Factory/packages/cockpit/files/package-lock.json?expand=1 is only there due to devDependencies. If that is the same for the other packages and someone can confirm, then we can mark this as not applying to our usage, as it is only used at build time and additionally will not be exposed to user input. (In reply to Jan Zerebecki from comment #2) > I checked https://github.com/cockpit-project/cockpit/blob/main/package.json > and it does not contain braces and the braces in > https://build.opensuse.org/projects/openSUSE:Factory/packages/cockpit/files/ > package-lock.json?expand=1 is only there due to devDependencies. > > If that is the same for the other packages and someone can confirm, then we > can mark this as not applying to our usage, as it is only used at build time > and additionally will not be exposed to user input. I went through all of the packages and in all of them the braces package was a sub dependency of a devDepencies. Thanks, I've updated our tracking. Nothing to do, closing. |