Bug 1187977 – VUL-0: CVE-2021-23362: nodejs10,nodejs12,nodejs14,nodejs: npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS)

Bug 1187977 - (CVE-2021-23362) VUL-0: CVE-2021-23362: nodejs10,nodejs12,nodejs14,nodejs: npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS)

(CVE-2021-23362)
Summary:	VUL-0: CVE-2021-23362: nodejs10,nodejs12,nodejs14,nodejs: npm upgrade - hoste...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/303419
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-23362:5.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-07-02 14:01 UTC by Robert Frohl
Modified:	2021-08-10 04:19 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-07-02 14:01:48 UTC

npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium) (CVE-2021-23362)

This is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.

You can read more about it in https://nvd.nist.gov/vuln/detail/CVE-2021-23362

Impacts:

    All versions of the 12.x release line
    Versions of the 14.x release line before 14.17.0 which included an update to the latest npm 6.

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

Comment 2 Robert Frohl 2021-07-06 14:39:11 UTC

more info from snyk.io:
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355

Comment 3 Robert Frohl 2021-07-06 14:49:38 UTC

tracking as affected:

nodejs4
- SUSE:SLE-12:Update

nodejs6:
- SUSE:SLE-12:Update

nodejs8
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP2:Update 

nodejs10:
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update

nodejs12
- SUSE:SLE-12:Update
- SUSE:SLE-15-SP2:Update

nodejs14
- SUSE:SLE-12-SP4:Update
- SUSE:SLE-15-SP2:Update

Comment 10 Swamp Workflow Management 2021-07-14 19:58:41 UTC

SUSE-SU-2021:2323-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1183155,1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs10-10.24.1-1.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2021-07-14 20:00:21 UTC

SUSE-SU-2021:2326-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.2-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2021-07-14 20:05:31 UTC

SUSE-SU-2021:2319-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.17.2-6.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2021-07-14 20:10:45 UTC

openSUSE-SU-2021:2327-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.2-4.16.1

Comment 14 Swamp Workflow Management 2021-07-14 20:12:31 UTC

SUSE-SU-2021:2327-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.2-4.16.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.2-4.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2021-07-15 16:25:02 UTC

openSUSE-SU-2021:2354-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.17.2-5.12.1

Comment 16 Swamp Workflow Management 2021-07-15 16:30:54 UTC

SUSE-SU-2021:2353-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1183155,1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    nodejs10-10.24.1-1.36.1
SUSE Manager Retail Branch Server 4.0 (src):    nodejs10-10.24.1-1.36.1
SUSE Manager Proxy 4.0 (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.1-1.36.1
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.1-1.36.1
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.1-1.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2021-07-15 16:33:37 UTC

SUSE-SU-2021:2354-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.17.2-5.12.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.17.2-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2021-07-15 16:43:06 UTC

openSUSE-SU-2021:2353-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1183155,1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-1.36.1

Comment 19 Swamp Workflow Management 2021-07-20 01:19:03 UTC

openSUSE-SU-2021:1059-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.2-lp152.3.15.1

Comment 20 Swamp Workflow Management 2021-07-20 01:20:42 UTC

openSUSE-SU-2021:1061-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1183155,1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs10-10.24.1-lp152.2.15.1

Comment 21 Swamp Workflow Management 2021-07-20 01:25:38 UTC

openSUSE-SU-2021:1060-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.17.2-lp152.11.1

Comment 23 Swamp Workflow Management 2021-08-05 14:03:46 UTC

openSUSE-SU-2021:2618-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs8-8.17.0-10.12.2

Comment 24 Swamp Workflow Management 2021-08-05 14:47:53 UTC

SUSE-SU-2021:2620-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1182620,1184450,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22884,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Manager Retail Branch Server 4.0 (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Manager Proxy 4.0 (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs-common-2.0-3.2.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE Enterprise Storage 6 (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2
SUSE CaaS Platform 4.0 (src):    nodejs-common-2.0-3.2.1, nodejs8-8.17.0-3.47.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2021-08-05 14:55:04 UTC

SUSE-SU-2021:2618-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs8-8.17.0-10.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Marcus Meissner 2021-08-09 11:00:04 UTC

released

Comment 27 Swamp Workflow Management 2021-08-10 04:19:24 UTC

openSUSE-SU-2021:1113-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs8-8.17.0-lp152.3.14.1