Bug - eslint-plugin-patternfly-react - micromatch vulnerability #10475
Comments
dlabrecq
changed the title
dlabrecq
changed the title
|
Closing as this is not a production issue for Cost Management |
github-project-automation
bot
moved this from Needs triage
to Done
in PatternFly Issues
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cost Management inherits
micromatchfromeslint-plugin-patternfly-react, which has the vulnerability described below.Red Hat requires a by 12-Aug-2024
See https://issues.redhat.com/browse/COST-5041
Flaw:
CVE-2024-4067 micromatch: vulnerable to Regular Expression Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=2280601
The NPM package
micromatchis vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs inmicromatch.braces()inindex.jsbecause the pattern.*will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.https://devhub.checkmarx.com/cve-details/CVE-2024-4067/
https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448
micromatch/micromatch#243
micromatch/micromatch#247
Output from
npm why micromatchThe text was updated successfully, but these errors were encountered: