Bug ID 1224384
Summary VUL-0: CVE-2024-4068: traefik: the npm package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS)
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.6
Hardware Other
URL https://smash.suse.de/issue/405384/
OS Other
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee alexandre.vicenzi@suse.com
Reporter smash_bz@suse.de
QA Contact security-team@suse.de
CC gabriele.sonnu@suse.com
Target Milestone ---
Found By Security Response Team
Blocker ---

The NPM package `micromatch` is vulnerable to Regular Expression Denial of
Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in
`index.js` because the pattern `.*` will greedily match anything. By passing a
malicious payload, the pattern matching will keep backtracking to the input
while it doesn't find the closing bracket. As the input size increases, the
consumption time will also increase until it causes the application to hang or
slow down. There was a merged fix but further testing shows the issue persists.
This issue should be mitigated by using a safe pattern that won't start
backtracking the regular expression due to greedy matching.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4067
https://www.cve.org/CVERecord?id=CVE-2024-4067
https://devhub.checkmarx.com/cve-details/CVE-2024-4067/
https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
https://github.com/micromatch/micromatch/issues/243
https://github.com/micromatch/micromatch/pull/247


You are receiving this mail because: