#VU69942 Incorrect Regular Expression in minimatch


Published: 2022-12-06

Vulnerability identifier: #VU69942

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3517

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
minimatch
Web applications / JS libraries

Vendor: isaacs

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

minimatch: 0.0.1 - 3.0.4

CPE

External links
http://github.com/grafana/grafana-image-renderer/issues/329
http://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management
Multiple vulnerabilities in IBM Spectrum Protect Plus File Systems Agent
Denial of service in App Connect Enterprise Certified Container
Incorrect regular expression in IBM Cloud Pak for Integration (CP4I)
Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes
Red Hat Software Collections update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon
Incorrect regular expression in IBM Robotic Process Automation
Multiple vulnerabilities in Migration Toolkit for Runtimes
Incorrect regular expression in IBM Process Mining
Red Hat Enterprise Linux 9 update for nodejs and nodejs-nodemon