Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

minimatch ReDoS vulnerability #167

Closed
1 of 4 tasks
TheKingTermux opened this issue Oct 24, 2022 · 0 comments · Fixed by #165
Closed
1 of 4 tasks

minimatch ReDoS vulnerability #167

TheKingTermux opened this issue Oct 24, 2022 · 0 comments · Fixed by #165
Labels
Auto Create Issues Label for Auto Created Issues High This label for Security Severity only Security Label for Security Issues
Milestone
Alice 1.0.6

Comments

@TheKingTermux
Copy link
Owner

Description

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Severity Check

  • Low
  • Moderate
  • High
  • Critical

Severity Number

7.5

CVSS base metrics

  • Attack vector
    Network

  • Attack complexity
    Low

  • Privileges required
    None

  • User interaction
    None

  • Scope
    Unchanged

  • Confidentiality
    None

  • Integrity
    None

  • Availability
    High

  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  • Weaknesses
    CWE-400

  • CVE ID
    CVE-2022-3517

  • GHSA ID
    GHSA-f8q6-p94x-37v3

Information

  • Package
    minimatch (npm)

  • Affected versions
    < 3.0.5

  • Patched versions
    3.0.5

References
@TheKingTermux TheKingTermux added Security Label for Security Issues Auto Create Issues Label for Auto Created Issues labels Oct 24, 2022
@TheKingTermux TheKingTermux added this to the Alice 1.0.6 milestone Oct 24, 2022
@TheKingTermux TheKingTermux mentioned this issue Oct 24, 2022
Merged
1 task
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 26, 2022
@TheKingTermux TheKingTermux added the High This label for Security Severity only label May 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Auto Create Issues Label for Auto Created Issues High This label for Security Severity only Security Label for Security Issues
Projects
None yet
Milestone
Alice 1.0.6
Development

Successfully merging a pull request may close this issue.

chore(deps): update dependency minimatch to 3.0.5 [security] TheKingTermux/alice
1 participant
@TheKingTermux