csaf_suse - suse-su-2022:3313-1

Vulnerability from csaf_suse

Published

2022-09-19 15:37

Modified

2022-09-19 15:37

Summary

Security update for release-notes-susemanager, release-notes-susemanager-proxy

Notes

Title of the patch

Security update for release-notes-susemanager, release-notes-susemanager-proxy

Description of the patch

This update for release-notes-susemanager, release-notes-susemanager-proxy fixes the following issues: Release notes for SUSE Manager: - Update to SUSE:Manager 4.2.9 * Notification about SUSE Manager end-of-life has been added * CVEs fixed: CVE-2021-43138, CVE-2021-42740, CVE-2022-31129, CVE-2021-41411 * Bugs mentioned: bsc#1172705, bsc#1187028, bsc#1195455, bsc#1195895, bsc#1196729 bsc#1198168, bsc#1198489, bsc#1198738, bsc#1198903, bsc#1199372 bsc#1199659, bsc#1199913, bsc#1199950, bsc#1200276, bsc#1200296 bsc#1200480, bsc#1200532, bsc#1200573, bsc#1200591, bsc#1200629 bsc#1201142, bsc#1201189, bsc#1201210, bsc#1201220, bsc#1201224 bsc#1201527, bsc#1201606, bsc#1201607, bsc#1201626, bsc#1201753 bsc#1201913, bsc#1201918, bsc#1202142, bsc#1202272, bsc#1202464 bsc#1202728, bsc#1203287, bsc#1203288, bsc#1203449 Release notes for SUSE Manager Proxy: - Update to SUSE Manager 4.2.9 * CVEs fixed: CVE-2021-43138, CVE-2021-42740, CVE-2022-31129 * Bugs mentioned: bsc#1198168, bsc#1198903, bsc#1199659, bsc#1200480, bsc#1200591 bsc#1201142, bsc#1202142, bsc#1202724

Patchnames

SUSE-2022-3313,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2022-3313,SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.2-2022-3313,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2022-3313

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "critical",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Security update for release-notes-susemanager, release-notes-susemanager-proxy",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "This update for release-notes-susemanager, release-notes-susemanager-proxy fixes the following issues:\n\nRelease notes for SUSE Manager:\n\n- Update to SUSE:Manager 4.2.9\n  * Notification about SUSE Manager end-of-life has been added\n  * CVEs fixed: CVE-2021-43138, CVE-2021-42740, CVE-2022-31129, CVE-2021-41411\n  * Bugs mentioned:\n    bsc#1172705, bsc#1187028, bsc#1195455, bsc#1195895, bsc#1196729\n    bsc#1198168, bsc#1198489, bsc#1198738, bsc#1198903, bsc#1199372\n    bsc#1199659, bsc#1199913, bsc#1199950, bsc#1200276, bsc#1200296\n    bsc#1200480, bsc#1200532, bsc#1200573, bsc#1200591, bsc#1200629\n    bsc#1201142, bsc#1201189, bsc#1201210, bsc#1201220, bsc#1201224\n    bsc#1201527, bsc#1201606, bsc#1201607, bsc#1201626, bsc#1201753\n    bsc#1201913, bsc#1201918, bsc#1202142, bsc#1202272, bsc#1202464\n    bsc#1202728, bsc#1203287, bsc#1203288, bsc#1203449\n\nRelease notes for SUSE Manager Proxy:\n\n- Update to SUSE Manager 4.2.9\n  * CVEs fixed: CVE-2021-43138, CVE-2021-42740, CVE-2022-31129\n  * Bugs mentioned:\n    bsc#1198168, bsc#1198903, bsc#1199659, bsc#1200480, bsc#1200591\n    bsc#1201142, bsc#1202142, bsc#1202724\n",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "SUSE-2022-3313,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2022-3313,SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.2-2022-3313,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2022-3313",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3313-1.json",
         },
         {
            category: "self",
            summary: "URL for SUSE-SU-2022:3313-1",
            url: "https://www.suse.com/support/update/announcement/2022/suse-su-20223313-1/",
         },
         {
            category: "self",
            summary: "E-Mail link for SUSE-SU-2022:3313-1",
            url: "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012289.html",
         },
         {
            category: "self",
            summary: "SUSE Bug 1172705",
            url: "https://bugzilla.suse.com/1172705",
         },
         {
            category: "self",
            summary: "SUSE Bug 1187028",
            url: "https://bugzilla.suse.com/1187028",
         },
         {
            category: "self",
            summary: "SUSE Bug 1195455",
            url: "https://bugzilla.suse.com/1195455",
         },
         {
            category: "self",
            summary: "SUSE Bug 1195895",
            url: "https://bugzilla.suse.com/1195895",
         },
         {
            category: "self",
            summary: "SUSE Bug 1196729",
            url: "https://bugzilla.suse.com/1196729",
         },
         {
            category: "self",
            summary: "SUSE Bug 1198168",
            url: "https://bugzilla.suse.com/1198168",
         },
         {
            category: "self",
            summary: "SUSE Bug 1198489",
            url: "https://bugzilla.suse.com/1198489",
         },
         {
            category: "self",
            summary: "SUSE Bug 1198738",
            url: "https://bugzilla.suse.com/1198738",
         },
         {
            category: "self",
            summary: "SUSE Bug 1198903",
            url: "https://bugzilla.suse.com/1198903",
         },
         {
            category: "self",
            summary: "SUSE Bug 1199372",
            url: "https://bugzilla.suse.com/1199372",
         },
         {
            category: "self",
            summary: "SUSE Bug 1199659",
            url: "https://bugzilla.suse.com/1199659",
         },
         {
            category: "self",
            summary: "SUSE Bug 1199913",
            url: "https://bugzilla.suse.com/1199913",
         },
         {
            category: "self",
            summary: "SUSE Bug 1199950",
            url: "https://bugzilla.suse.com/1199950",
         },
         {
            category: "self",
            summary: "SUSE Bug 1200276",
            url: "https://bugzilla.suse.com/1200276",
         },
         {
            category: "self",
            summary: "SUSE Bug 1200296",
            url: "https://bugzilla.suse.com/1200296",
         },
         {
            category: "self",
            summary: "SUSE Bug 1200480",
            url: "https://bugzilla.suse.com/1200480",
         },
         {
            category: "self",
            summary: "SUSE Bug 1200532",
            url: "https://bugzilla.suse.com/1200532",
         },
         {
            category: "self",
            summary: "SUSE Bug 1200573",
            url: "https://bugzilla.suse.com/1200573",
         },
         {
            category: "self",
            summary: "SUSE Bug 1200591",
            url: "https://bugzilla.suse.com/1200591",
         },
         {
            category: "self",
            summary: "SUSE Bug 1200629",
            url: "https://bugzilla.suse.com/1200629",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201142",
            url: "https://bugzilla.suse.com/1201142",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201189",
            url: "https://bugzilla.suse.com/1201189",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201210",
            url: "https://bugzilla.suse.com/1201210",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201220",
            url: "https://bugzilla.suse.com/1201220",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201224",
            url: "https://bugzilla.suse.com/1201224",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201527",
            url: "https://bugzilla.suse.com/1201527",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201606",
            url: "https://bugzilla.suse.com/1201606",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201607",
            url: "https://bugzilla.suse.com/1201607",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201626",
            url: "https://bugzilla.suse.com/1201626",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201753",
            url: "https://bugzilla.suse.com/1201753",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201913",
            url: "https://bugzilla.suse.com/1201913",
         },
         {
            category: "self",
            summary: "SUSE Bug 1201918",
            url: "https://bugzilla.suse.com/1201918",
         },
         {
            category: "self",
            summary: "SUSE Bug 1202142",
            url: "https://bugzilla.suse.com/1202142",
         },
         {
            category: "self",
            summary: "SUSE Bug 1202272",
            url: "https://bugzilla.suse.com/1202272",
         },
         {
            category: "self",
            summary: "SUSE Bug 1202464",
            url: "https://bugzilla.suse.com/1202464",
         },
         {
            category: "self",
            summary: "SUSE Bug 1202724",
            url: "https://bugzilla.suse.com/1202724",
         },
         {
            category: "self",
            summary: "SUSE Bug 1202728",
            url: "https://bugzilla.suse.com/1202728",
         },
         {
            category: "self",
            summary: "SUSE Bug 1203287",
            url: "https://bugzilla.suse.com/1203287",
         },
         {
            category: "self",
            summary: "SUSE Bug 1203288",
            url: "https://bugzilla.suse.com/1203288",
         },
         {
            category: "self",
            summary: "SUSE Bug 1203449",
            url: "https://bugzilla.suse.com/1203449",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2021-41411 page",
            url: "https://www.suse.com/security/cve/CVE-2021-41411/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2021-42740 page",
            url: "https://www.suse.com/security/cve/CVE-2021-42740/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2021-43138 page",
            url: "https://www.suse.com/security/cve/CVE-2021-43138/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2022-31129 page",
            url: "https://www.suse.com/security/cve/CVE-2022-31129/",
         },
      ],
      title: "Security update for release-notes-susemanager, release-notes-susemanager-proxy",
      tracking: {
         current_release_date: "2022-09-19T15:37:27Z",
         generator: {
            date: "2022-09-19T15:37:27Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "SUSE-SU-2022:3313-1",
         initial_release_date: "2022-09-19T15:37:27Z",
         revision_history: [
            {
               date: "2022-09-19T15:37:27Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-4.2.9-150300.3.54.1.aarch64",
                        product: {
                           name: "release-notes-susemanager-4.2.9-150300.3.54.1.aarch64",
                           product_id: "release-notes-susemanager-4.2.9-150300.3.54.1.aarch64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.aarch64",
                        product: {
                           name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.aarch64",
                           product_id: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.aarch64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-4.2.9-150300.3.54.1.i586",
                        product: {
                           name: "release-notes-susemanager-4.2.9-150300.3.54.1.i586",
                           product_id: "release-notes-susemanager-4.2.9-150300.3.54.1.i586",
                        },
                     },
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.i586",
                        product: {
                           name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.i586",
                           product_id: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.i586",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "i586",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                        product: {
                           name: "release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                           product_id: "release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                        },
                     },
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.ppc64le",
                        product: {
                           name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.ppc64le",
                           product_id: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.ppc64le",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                        product: {
                           name: "release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                           product_id: "release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.s390x",
                        product: {
                           name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.s390x",
                           product_id: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.s390x",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
                        product: {
                           name: "release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
                           product_id: "release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                        product: {
                           name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                           product_id: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "SUSE Manager Proxy 4.2",
                        product: {
                           name: "SUSE Manager Proxy 4.2",
                           product_id: "SUSE Manager Proxy 4.2",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:suse-manager-proxy:4.2",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Manager Retail Branch Server 4.2",
                        product: {
                           name: "SUSE Manager Retail Branch Server 4.2",
                           product_id: "SUSE Manager Retail Branch Server 4.2",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:suse-manager-retail-branch-server:4.2",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Manager Server 4.2",
                        product: {
                           name: "SUSE Manager Server 4.2",
                           product_id: "SUSE Manager Server 4.2",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:suse-manager-server:4.2",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64 as component of SUSE Manager Proxy 4.2",
               product_id: "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
            },
            product_reference: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
            relates_to_product_reference: "SUSE Manager Proxy 4.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64 as component of SUSE Manager Retail Branch Server 4.2",
               product_id: "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
            },
            product_reference: "release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
            relates_to_product_reference: "SUSE Manager Retail Branch Server 4.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le as component of SUSE Manager Server 4.2",
               product_id: "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
            },
            product_reference: "release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
            relates_to_product_reference: "SUSE Manager Server 4.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "release-notes-susemanager-4.2.9-150300.3.54.1.s390x as component of SUSE Manager Server 4.2",
               product_id: "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
            },
            product_reference: "release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
            relates_to_product_reference: "SUSE Manager Server 4.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "release-notes-susemanager-4.2.9-150300.3.54.1.x86_64 as component of SUSE Manager Server 4.2",
               product_id: "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
            },
            product_reference: "release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
            relates_to_product_reference: "SUSE Manager Server 4.2",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2021-41411",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2021-41411",
            },
         ],
         notes: [
            {
               category: "general",
               text: "drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
               "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2021-41411",
               url: "https://www.suse.com/security/cve/CVE-2021-41411",
            },
            {
               category: "external",
               summary: "SUSE Bug 1200629 for CVE-2021-41411",
               url: "https://bugzilla.suse.com/1200629",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2022-09-19T15:37:27Z",
               details: "important",
            },
         ],
         title: "CVE-2021-41411",
      },
      {
         cve: "CVE-2021-42740",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2021-42740",
            },
         ],
         notes: [
            {
               category: "general",
               text: "The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
               "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2021-42740",
               url: "https://www.suse.com/security/cve/CVE-2021-42740",
            },
            {
               category: "external",
               summary: "SUSE Bug 1203287 for CVE-2021-42740",
               url: "https://bugzilla.suse.com/1203287",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2022-09-19T15:37:27Z",
               details: "critical",
            },
         ],
         title: "CVE-2021-42740",
      },
      {
         cve: "CVE-2021-43138",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2021-43138",
            },
         ],
         notes: [
            {
               category: "general",
               text: "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
               "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2021-43138",
               url: "https://www.suse.com/security/cve/CVE-2021-43138",
            },
            {
               category: "external",
               summary: "SUSE Bug 1200480 for CVE-2021-43138",
               url: "https://bugzilla.suse.com/1200480",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2022-09-19T15:37:27Z",
               details: "important",
            },
         ],
         title: "CVE-2021-43138",
      },
      {
         cve: "CVE-2022-31129",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2022-31129",
            },
         ],
         notes: [
            {
               category: "general",
               text: "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
               "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
               "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2022-31129",
               url: "https://www.suse.com/security/cve/CVE-2022-31129",
            },
            {
               category: "external",
               summary: "SUSE Bug 1203288 for CVE-2022-31129",
               url: "https://bugzilla.suse.com/1203288",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.9-150300.3.43.1.x86_64",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.ppc64le",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.s390x",
                  "SUSE Manager Server 4.2:release-notes-susemanager-4.2.9-150300.3.54.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2022-09-19T15:37:27Z",
               details: "important",
            },
         ],
         title: "CVE-2022-31129",
      },
   ],
}

cve-2021-41411

Vulnerability from cvelistv5

Published

2022-06-16 09:52

Modified

2024-08-04 03:08

Severity ?

Summary

drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

References

▼	URL	Tags
	https://github.com/kiegroup/drools/pull/3808	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T03:08:32.436Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/kiegroup/drools/pull/3808",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-06-16T09:52:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/kiegroup/drools/pull/3808",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2021-41411",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/kiegroup/drools/pull/3808",
                     refsource: "MISC",
                     url: "https://github.com/kiegroup/drools/pull/3808",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-41411",
      datePublished: "2022-06-16T09:52:01",
      dateReserved: "2021-09-20T00:00:00",
      dateUpdated: "2024-08-04T03:08:32.436Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-43138

Vulnerability from cvelistv5

Published

2022-04-06 00:00

Modified

2024-08-04 03:47

Severity ?

Summary

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

References

▼	URL	Tags
	https://github.com/caolan/async/blob/master/lib/internal/iterator.js
	https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js
	https://jsfiddle.net/oz5twjd9/
	https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d
	https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264
	https://github.com/caolan/async/pull/1828
	https://github.com/caolan/async/compare/v2.6.3...v2.6.4
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240621-0006/

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T03:47:13.575Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/caolan/async/blob/master/lib/internal/iterator.js",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://jsfiddle.net/oz5twjd9/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/caolan/async/pull/1828",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/caolan/async/compare/v2.6.3...v2.6.4",
               },
               {
                  name: "FEDORA-2023-ce8943223c",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/",
               },
               {
                  name: "FEDORA-2023-18fd476362",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20240621-0006/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-06-21T19:07:23.908408",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               url: "https://github.com/caolan/async/blob/master/lib/internal/iterator.js",
            },
            {
               url: "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js",
            },
            {
               url: "https://jsfiddle.net/oz5twjd9/",
            },
            {
               url: "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d",
            },
            {
               url: "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264",
            },
            {
               url: "https://github.com/caolan/async/pull/1828",
            },
            {
               url: "https://github.com/caolan/async/compare/v2.6.3...v2.6.4",
            },
            {
               name: "FEDORA-2023-ce8943223c",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/",
            },
            {
               name: "FEDORA-2023-18fd476362",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20240621-0006/",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-43138",
      datePublished: "2022-04-06T00:00:00",
      dateReserved: "2021-11-01T00:00:00",
      dateUpdated: "2024-08-04T03:47:13.575Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-42740

Vulnerability from cvelistv5

Published

2021-10-21 14:46

Modified

2024-08-04 03:38

Severity ?

Summary

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

References

▼	URL	Tags
	https://www.npmjs.com/package/shell-quote	x_refsource_MISC
	https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173	x_refsource_CONFIRM
	https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T03:38:50.098Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.npmjs.com/package/shell-quote",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-10-21T14:46:08",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.npmjs.com/package/shell-quote",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2021-42740",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.npmjs.com/package/shell-quote",
                     refsource: "MISC",
                     url: "https://www.npmjs.com/package/shell-quote",
                  },
                  {
                     name: "https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173",
                     refsource: "CONFIRM",
                     url: "https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173",
                  },
                  {
                     name: "https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe",
                     refsource: "CONFIRM",
                     url: "https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-42740",
      datePublished: "2021-10-21T14:46:08",
      dateReserved: "2021-10-20T00:00:00",
      dateUpdated: "2024-08-04T03:38:50.098Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-31129

Vulnerability from cvelistv5

Published

2022-07-06 00:00

Modified

2024-08-03 07:11

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

References

▼	URL	Tags
	https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
	https://github.com/moment/moment/pull/6015#issuecomment-1152961973
	https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
	https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20221014-0003/
	https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html	mailing-list

Impacted products

	Vendor	Product	Version
	moment	moment	Version: >= 2.18.0, < 2.29.4

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T07:11:39.222Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/moment/moment/pull/6015#issuecomment-1152961973",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/",
               },
               {
                  name: "FEDORA-2022-85aa8e5706",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/",
               },
               {
                  name: "FEDORA-2022-35b698150c",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/",
               },
               {
                  name: "FEDORA-2022-b9ef7c3c3c",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/",
               },
               {
                  name: "FEDORA-2022-798fd95813",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20221014-0003/",
               },
               {
                  name: "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "moment",
               vendor: "moment",
               versions: [
                  {
                     status: "affected",
                     version: " >= 2.18.0, < 2.29.4",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "CWE-400: Uncontrolled Resource Consumption",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-01-31T00:00:00",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               url: "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
            },
            {
               url: "https://github.com/moment/moment/pull/6015#issuecomment-1152961973",
            },
            {
               url: "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3",
            },
            {
               url: "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/",
            },
            {
               name: "FEDORA-2022-85aa8e5706",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/",
            },
            {
               name: "FEDORA-2022-35b698150c",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/",
            },
            {
               name: "FEDORA-2022-b9ef7c3c3c",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/",
            },
            {
               name: "FEDORA-2022-798fd95813",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20221014-0003/",
            },
            {
               name: "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html",
            },
         ],
         source: {
            advisory: "GHSA-wc69-rhjr-hc9g",
            discovery: "UNKNOWN",
         },
         title: "Inefficient Regular Expression Complexity in moment",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2022-31129",
      datePublished: "2022-07-06T00:00:00",
      dateReserved: "2022-05-18T00:00:00",
      dateUpdated: "2024-08-03T07:11:39.222Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_suse

cve-2021-41411

Vulnerability from cvelistv5

cve-2021-43138

Vulnerability from cvelistv5

cve-2021-42740

Vulnerability from cvelistv5

cve-2022-31129

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature