{
  "threat_severity" : "Low",
  "public_date" : "2018-02-19T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js",
    "id" : "1547272",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1547272"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.0",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-1333",
  "details" : [ "A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", "A vulnerability was found in nodejs-braces. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. The highest threat from this vulnerability is system availability." ],
  "statement" : "Red Hat Quay includes braces as a dependency of webpack. Braces is only used at build time, not at runtime, reducing the impact of this vulnerability to low.",
  "affected_release" : [ {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-10-19T00:00:00Z",
    "advisory" : "RHSA-2021:3917",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-rhel8:v3.6.0-62",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-braces",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-braces",
    "cpe" : "cpe:/a:redhat:openshift:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs4-nodejs-braces",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs6-nodejs-braces",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs8-nodejs-braces",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1109\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1109\nhttps://snyk.io/vuln/npm:braces:20180219" ],
  "name" : "CVE-2018-1109",
  "csaw" : false
}