Vulnerability Name:

CVE-2021-23362 (CCN-198792)

Assigned:2021-03-23
Published:2021-03-23
Updated:2022-04-08
Summary:The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-Other
CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-23362

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: XF
Type: UNKNOWN
nodejs-cve202123362-dos(198792)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/npm/hosted-git-info/commits/v2

Source: CCN
Type: Node.js Blog, 2021-07-01
July 2021 Security Releases

Source: CCN
Type: SNYK-JAVA-ORGWEBJARSNPM
Regular Expression Denial of Service (ReDoS)

Source: MISC
Type: Exploit, Patch, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356

Source: MISC
Type: Exploit, Patch, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355

Source: CCN
Type: IBM Security Bulletin 6453061 (Cloud Automation Manager)
A security vulnerability in Node.js hosted-git-info module affects IBM Cloud Automation Manager

Source: CCN
Type: IBM Security Bulletin 6453069 (Cloud Pak for Multicloud Management)
A security vulnerability in Node.js hosted-git-info module affects IBM Cloud Pak for Multicloud Management Managed Service

Source: CCN
Type: IBM Security Bulletin 6464815 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6466321 (Integration Bus)
IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-23362)

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Source: CCN
Type: IBM Security Bulletin 6494661 (Rational Application Developer for WebSphere Software)
Multiple vulnerabilities affect IBM Rational Application Developer for WebSphere Software - September 2021

Source: CCN
Type: IBM Security Bulletin 6497077 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container images may be vulnerable to Denial of Service attacks due to CVE-2021-23362 and CVE-2021-27290

Source: CCN
Type: IBM Security Bulletin 6507095 (Planning Analytics)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6559694 (Watson Assistant for Cloud Pak for Data)
Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data.

Source: CCN
Type: IBM Security Bulletin 6573633 (QRadar Use Case Manager)
IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6574403 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - Node.js (CVE-2021-23362, CVE-2021-22918)

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6590981 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6591203 (Netcool Agile Service Manager)
Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager

Source: CCN
Type: IBM Security Bulletin 6825871 (Tivoli Netcool/OMNIbus_GUI)
Multiple vulnerabilities in React, webpack and Node.js modules affect Tivoli Netcool/OMNIbus WebGUI

Source: CCN
Type: IBM Security Bulletin 6967283 (QRadar User Behavior Analytics)
IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6991609 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: NPM Web site
hosted-git-info

Source: CCN
Type: NPM Web site
hosted-git-info DefinitelyTyped icon, indicating that this package has TypeScript declarations provided by the separate @types/hosted-git-info package

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-23362

Vulnerable Configuration:Configuration 1:
  • cpe:/a:npmjs:hosted-git-info:*:*:*:*:*:*:*:* (Version >= 2.0.0 and < 2.8.9)
  • OR cpe:/a:npmjs:hosted-git-info:*:*:*:*:*:*:*:* (Version >= 3.0.0 and < 3.0.8)

    • Configuration 2:
  • cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • OR cpe:/a:ibm:rational_application_developer:9.6:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_user_behavior_analytics:1.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8157
    P
    		Security update for terraform-provider-aws (Important)
    2023-06-21
    oval:org.opensuse.security:def:8181
    P
    		Security update for terraform-provider-null (Important)
    2023-06-21
    oval:org.opensuse.security:def:8182
    P
    		Security update for terraform-provider-helm (Important)
    2023-06-21
    oval:org.opensuse.security:def:8159
    P
    		Security update for terraform-provider-null (Important)
    2023-06-21
    oval:org.opensuse.security:def:8160
    P
    		Security update for python-Flask (Important)
    2023-05-22
    oval:org.opensuse.security:def:8158
    P
    		Security update for openvswitch (Important)
    2023-05-19
    oval:org.opensuse.security:def:8156
    P
    		Security update for openvswitch (Important)
    2023-05-19
    oval:org.opensuse.security:def:6121
    P
    		Security update for libgda (Important) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:6094
    P
    		Security update for squid (Important)
    2022-07-12
    oval:org.opensuse.security:def:99503
    P
    		 (Important)
    2022-03-23
    oval:org.opensuse.security:def:99710
    P
    		 (Moderate)
    2021-12-28
    oval:org.opensuse.security:def:99702
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:100019
    P
    		 (Important)
    2021-11-22
    oval:org.opensuse.security:def:93111
    P
    		 (Moderate)
    2021-11-09
    oval:org.opensuse.security:def:100011
    P
    		 (Moderate)
    2021-11-04
    oval:org.opensuse.security:def:93264
    P
    		 (Important)
    2021-09-03
    oval:com.redhat.rhsa:def:20213073
    P
    		RHSA-2021:3073: nodejs:12 security, bug fix, and enhancement update (Moderate)
    2021-08-10
    oval:com.redhat.rhsa:def:20213074
    P
    		RHSA-2021:3074: nodejs:14 security, bug fix, and enhancement update (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:110997
    P
    		Security update for nodejs8 (Important)
    2021-08-10
    oval:org.opensuse.security:def:69248
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:109481
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92958
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:118576
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:102814
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:9009
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:70266
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:98925
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:9562
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:91975
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:99312
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69249
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:96124
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:118577
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:10126
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92362
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:102815
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69512
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:76278
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92760
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:8814
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69901
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:96125
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:111653
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:9372
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:70452
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:99120
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:109480
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:9761
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92170
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:99511
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:67210
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:10312
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92561
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:8628
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69702
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:110976
    P
    		Security update for nodejs10 (Important)
    2021-07-19
    oval:org.opensuse.security:def:110973
    P
    		Security update for nodejs12 (Important)
    2021-07-19
    oval:org.opensuse.security:def:110975
    P
    		Security update for nodejs14 (Important)
    2021-07-19
    oval:org.opensuse.security:def:96123
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:111623
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:10118
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92354
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69504
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:109478
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:76251
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92752
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:8806
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69893
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:93103
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:111624
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:9364
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:70444
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:99112
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69246
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:109479
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:118574
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:9753
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92162
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:102812
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:67183
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:10304
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92553
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:8620
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69694
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69247
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:96122
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92950
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:118575
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:102813
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:9001
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:70258
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69271
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:98917
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:93256
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:102265
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:9554
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:91967
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:99304
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:49443
    P
    		Security update for nodejs10 (Important)
    2021-07-14
    oval:org.opensuse.security:def:69245
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:118573
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:102811
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:20971
    P
    		Security update for nodejs14 (Important)
    2021-07-14
    oval:org.opensuse.security:def:49444
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:96121
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:69270
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:20972
    P
    		Security update for nodejs10 (Important)
    2021-07-14
    oval:org.opensuse.security:def:102264
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:49442
    P
    		Security update for nodejs14 (Important)
    2021-07-14
    oval:org.opensuse.security:def:111621
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:20973
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:109477
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    BACK
    npmjs hosted-git-info *
    npmjs hosted-git-info *
    siemens sinec infrastructure network services *
    nodejs node.js *
    ibm rational application developer 9.6
    ibm integration bus 10.0.0
    ibm app connect 11.0.0.0
    ibm watson discovery 2.0.0
    ibm cloud private 3.2.1 cd
    ibm cloud private 3.2.2 cd
    ibm app connect enterprise certified container 1.0.0
    ibm app connect enterprise certified container 1.0.1
    ibm app connect enterprise certified container 1.0.2
    ibm app connect enterprise certified container 1.0.3
    ibm app connect enterprise certified container 1.0.4
    ibm watson discovery 2.2.1
    ibm planning analytics 2.0
    ibm cloud pak for security 1.7.0.0
    ibm cloud pak for security 1.7.1.0
    ibm cloud pak for security 1.7.2.0
    ibm planning analytics 2.0
    ibm qradar user behavior analytics 1.0.0