{ "threat_severity" : "Moderate", "public_date" : "2021-06-21T00:00:00Z", "bugzilla" : { "description" : "nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string", "id" : "1974839", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1974839" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.", "A flaw was found in IS-SVG where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string. The highest threat from this vulnerability is to system availability." ], "statement" : "Since OpenShift Service Mesh 1.1.x is in its maintenance phase, only Important and Criticals will be fixed at this time.\nIn Red Hat OpenShift Container Platform (RHOCP) and OpenShift Service Mesh (OSSM), the affected components are behind OpenShift OAuth. This restricts access to the vulnerable is-svg library to authenticated users only, therefore the impact is low. \nOCP 4 delivers the kibana package where the is-svg is bundled, but during the update to container first (to openshift4/ose-logging-kibana6 starting in OCP 4.5) the dependency was removed and hence the kibana package is marked as wontfix. In OCP the grafana container bundles is-svg library, but as the Grafana dashboard is read-only, injecting the malicious string is not be possible, therefore this component has been marked as wontfix at this time and may be fixed in a future release.\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are not longer in use for 2.2 and 2.3, except for console-ui-container in 2.1, which is behind the OAuth, which in case the impact is marked as low. RHACM 2.1 is in its maintenance phase, so only Important and Criticals will be fixed at this time.\nIn Red Hat Virtualization a vulnerable version of is-svg is used in ovirt-web-ui and ovirt-engine-ui-extensions. It is a build-time dependency not exploitable in the delivered product. Therefore impact is rated Low and it will not be immediately fixed. An update may be provided in future releases.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-07-27T00:00:00Z", "advisory" : "RHSA-2021:2438", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-thanos-rhel8:v4.8.0-202106291913.p0.git.c358e96.assembly.stream", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2021-10-18T00:00:00Z", "advisory" : "RHSA-2021:3759", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "openshift4/ose-prometheus:v4.9.0-202109302016.p0.git.3197fa7.assembly.stream", "impact" : "low" } ], "package_state" : [ { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Will not fix", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:1", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Will not fix", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:1", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/console-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/console-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "is-svg", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Fix deferred", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "is-svg", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Will not fix", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Will not fix", "package_name" : "ovirt-engine-ui-extensions", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4", "impact" : "low" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Will not fix", "package_name" : "ovirt-web-ui", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-29059\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-29059" ], "name" : "CVE-2021-29059", "csaw" : false }