Bug 1197283 – VUL-1: CVE-2021-44907: nodejs14,nodejs12,nodejs10,nodejs8,nodejs6,nodejs4,nodejs16: potential Denial of Service vulnerability in qs due to insufficient sanitization of property in the gs.parse function

Bug 1197283 - (CVE-2021-44907) VUL-1: CVE-2021-44907: nodejs14,nodejs12,nodejs10,nodejs8,nodejs6,nodejs4,nodejs16: potential Denial of Service vulnerability in qs due to insufficient sanitization of property in the gs.parse function

(CVE-2021-44907)
Summary:	VUL-1: CVE-2021-44907: nodejs14,nodejs12,nodejs10,nodejs8,nodejs6,nodejs4,nod...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/326597/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-44907:3.1:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-03-18 11:02 UTC by Thomas Leroy
Modified:	2022-05-17 19:22 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-03-18 11:02:52 UTC

CVE-2021-44907

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient
sanitization of property in the gs.parse function. The merge() function allows
the assignment of properties on an array in the query. For any property being
assigned, a value in the array is converted to an object containing these
properties. Essentially, this means that the property whose expected type is
Array always has to be checked with Array.isArray() by the user. This may not be
obvious to the user and can cause unexpected behavior.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907
https://github.com/ljharb/qs/blob/master/dist/qs.js#L670
https://github.com/ljharb/qs/issues/436
https://jsfiddle.net/65jxksay/
https://jsfiddle.net/pb6an1dy/

Comment 1 Thomas Leroy 2022-03-18 11:06:27 UTC

This one looks disputed by the upstream maintainer. There is no upstream fix, and I don't know if there will be one.

Nevertheless, these codestreams ship a vulnerable version of node-qs:

nodejs6
SUSE:SLE-12:Update

nodejs8
SUSE:SLE-15:Update
SUSE:SLE-15-SP2:Update 

nodejs10
SUSE:SLE-12:Update
SUSE:SLE-15:Update

nodejs12
SUSE:SLE-12:Update
SUSE:SLE-15-SP2:Update

nodejs14
SUSE:SLE-12-SP4:Update
SUSE:SLE-15-SP2:Update

Comment 3 Swamp Workflow Management 2022-04-28 16:17:53 UTC

SUSE-SU-2022:1459-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.19.1-6.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Swamp Workflow Management 2022-04-28 19:18:23 UTC

SUSE-SU-2022:1462-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs14-14.19.1-150200.15.31.1
openSUSE Leap 15.3 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Server 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Proxy 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Enterprise Storage 7 (src):    nodejs14-14.19.1-150200.15.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Swamp Workflow Management 2022-04-28 19:19:30 UTC

SUSE-SU-2022:1461-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs12-12.22.12-150200.4.32.1
openSUSE Leap 15.3 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Server 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Proxy 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Enterprise Storage 7 (src):    nodejs12-12.22.12-150200.4.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2022-04-29 13:18:56 UTC

SUSE-SU-2022:1466-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.12-1.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2022-05-17 10:17:57 UTC

SUSE-SU-2022:1694-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194819,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs8-8.17.0-150200.10.22.1
openSUSE Leap 15.3 (src):    nodejs8-8.17.0-150200.10.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2022-05-17 19:22:00 UTC

SUSE-SU-2022:1717-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1191962,1191963,1192153,1192154,1192696,1194514,1194819,1197283,1198247
CVE References: CVE-2021-23343,CVE-2021-32803,CVE-2021-32804,CVE-2021-3807,CVE-2021-3918,CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs10-10.24.1-150000.1.44.1
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Server 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Proxy 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Enterprise Storage 7 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.1-150000.1.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.