{"containers": {"cna": {"affected": [{"product": "npm-user-validate", "vendor": "n/a", "versions": [{"lessThan": "1.0.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Yeting Li"}], "datePublic": "2020-10-27T00:00:00", "descriptions": [{"lang": "en", "value": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Regular Expression Denial of Service (ReDoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-27T15:05:17", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e"}], "title": "Regular Expression Denial of Service (ReDoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-10-27T15:03:17.448791Z", "ID": "CVE-2020-7754", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service (ReDoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "npm-user-validate", "version": {"version_data": [{"version_affected": "<", "version_value": "1.0.1"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Yeting Li"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Regular Expression Denial of Service (ReDoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353"}, {"name": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p", "refsource": "MISC", "url": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p"}, {"name": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e", "refsource": "MISC", "url": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:01.529Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7754", "datePublished": "2020-10-27T15:05:18.052022Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-17T04:28:53.351Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:npmjs:npm-user-validate:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2AC44E3C-4A3B-4215-AB0D-34D7395FC274", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters."}, {"lang": "es", "value": "Esto afecta al paquete npm-user-validate versiones anteriores a 1.0.1.&#xa0;La expresi\u00f3n regular que comprueba los correos electr\u00f3nicos de los usuarios tard\u00f3 exponencialmente m\u00e1s en procesar cadenas de entrada largas que comienzan con caracteres @"}], "id": "CVE-2020-7754", "lastModified": "2020-10-27T17:31:05.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Primary"}]}, "published": "2020-10-27T15:15:13.123", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0548", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "nodejs:10-8030020210118191659.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2021:0549", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "nodejs:12-8030020210129141730.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2021:0551", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "nodejs:14-8030020210126165503.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2021:0421", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs14-nodejs-0:14.15.4-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2021:0421", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs14-nodejs-0:14.15.4-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2021:0421", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs14-nodejs-0:14.15.4-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-15T00:00:00Z"}], "bugzilla": {"description": "nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS", "id": "1892430", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892430"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters."], "name": "CVE-2020-7754", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-10-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7754\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7754\nhttps://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p"], "statement": "In Red Hat Enterprise Linux 8 and Software Collections, `npm-user-validate` is used exclusively for `npm`. As a result, this vulnerability is considered Low in such a context.\nIn OpenShift Container Platform (OCP) 3.11 and 4.4 the kibana package has been marked Low (similar to RHEL8) as it is primarily used for npm and is protected via OpenShift OAuth. Additionally, whilst OCP 4.4 does deliver the kibana package, due to the code changing to container first content, it has been marked as wontfix at this time and may be fixed in a future release. \nAdditionally, the openshift4/ose-logging-kibana6 container is not represented on the CVE page as it gets npm from the Red Hat Software Collections and as such the ose-logging-kibana6 container will be updated when the rh-nodejs10-nodejs package is.", "threat_severity": "Moderate", "upstream_fix": "npm-user-validate 1.0.1"}