Bug 1197283 - (CVE-2021-44907) VUL-1: CVE-2021-44907: nodejs14,nodejs12,nodejs10,nodejs8,nodejs6,nodejs4,nodejs16: potential Denial of Service vulnerability in qs due to insufficient sanitization of property in the gs.parse function
(CVE-2021-44907)
VUL-1: CVE-2021-44907: nodejs14,nodejs12,nodejs10,nodejs8,nodejs6,nodejs4,nod...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Adam Majer
Security Team bot
https://smash.suse.de/issue/326597/
CVSSv3.1:SUSE:CVE-2021-44907:3.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-18 11:02 UTC by Thomas Leroy
Modified: 2022-05-17 19:22 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-18 11:02:52 UTC
CVE-2021-44907

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient
sanitization of property in the gs.parse function. The merge() function allows
the assignment of properties on an array in the query. For any property being
assigned, a value in the array is converted to an object containing these
properties. Essentially, this means that the property whose expected type is
Array always has to be checked with Array.isArray() by the user. This may not be
obvious to the user and can cause unexpected behavior.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907
https://github.com/ljharb/qs/blob/master/dist/qs.js#L670
https://github.com/ljharb/qs/issues/436
https://jsfiddle.net/65jxksay/
https://jsfiddle.net/pb6an1dy/
Comment 1 Thomas Leroy 2022-03-18 11:06:27 UTC
This one looks disputed by the upstream maintainer. There is no upstream fix, and I don't know if there will be one.

Nevertheless, these codestreams ship a vulnerable version of node-qs:

nodejs6
SUSE:SLE-12:Update

nodejs8
SUSE:SLE-15:Update
SUSE:SLE-15-SP2:Update 

nodejs10
SUSE:SLE-12:Update
SUSE:SLE-15:Update

nodejs12
SUSE:SLE-12:Update
SUSE:SLE-15-SP2:Update

nodejs14
SUSE:SLE-12-SP4:Update
SUSE:SLE-15-SP2:Update
Comment 3 Swamp Workflow Management 2022-04-28 16:17:53 UTC
SUSE-SU-2022:1459-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.19.1-6.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2022-04-28 19:18:23 UTC
SUSE-SU-2022:1462-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs14-14.19.1-150200.15.31.1
openSUSE Leap 15.3 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Server 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Proxy 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Enterprise Storage 7 (src):    nodejs14-14.19.1-150200.15.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-04-28 19:19:30 UTC
SUSE-SU-2022:1461-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs12-12.22.12-150200.4.32.1
openSUSE Leap 15.3 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Server 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Proxy 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Enterprise Storage 7 (src):    nodejs12-12.22.12-150200.4.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-04-29 13:18:56 UTC
SUSE-SU-2022:1466-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.12-1.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-05-17 10:17:57 UTC
SUSE-SU-2022:1694-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194819,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs8-8.17.0-150200.10.22.1
openSUSE Leap 15.3 (src):    nodejs8-8.17.0-150200.10.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-05-17 19:22:00 UTC
SUSE-SU-2022:1717-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1191962,1191963,1192153,1192154,1192696,1194514,1194819,1197283,1198247
CVE References: CVE-2021-23343,CVE-2021-32803,CVE-2021-32804,CVE-2021-3807,CVE-2021-3918,CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs10-10.24.1-150000.1.44.1
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Server 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Manager Proxy 4.1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Enterprise Storage 7 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.1-150000.1.44.1
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.1-150000.1.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.