{
  "threat_severity" : "Moderate",
  "public_date" : "2021-04-28T00:00:00Z",
  "bugzilla" : {
    "description" : "browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)",
    "id" : "1955619",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1955619"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.", "Regular Expression Denial of Service (ReDoS)  vulnerability was found in browserslist library. An attacker can use this vulnerability to parse a query which potentially can lead to service degradation." ],
  "statement" : "While some components do package a vulnerable version of nodejs browserslist library, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. \nThis applies to the following products:\n- OpenShift Container Platform (OCP)\n- OpenShift ServiceMesh (OSSM)\n- Red Hat Advanced Cluster Management for Kubernetes (RHACM)\nIn Red Had Quay , whilst a vulnerable version of `browserslist` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.",
  "affected_release" : [ {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-10-19T00:00:00Z",
    "advisory" : "RHSA-2021:3917",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-rhel8:v3.6.0-62",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Affected",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Affected",
    "package_name" : "servicemesh-prometheus",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/application-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/console-header-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/console-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/console-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/grc-ui-api-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/grc-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/mcm-topology-api-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/mcm-topology-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/search-api-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/search-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-prometheus",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-thanos-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-23364\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23364" ],
  "name" : "CVE-2021-23364",
  "csaw" : false
}