CVE-2021-27292 - Vulnerability Details

Vendors	Products
Redhat	Acm Jaeger Logging Openshift
Ua-parser-js Project	Ua-parser-js

Package	CPE	Advisory	Released Date
OpenShift Logging 5.1
openshift-logging/kibana6-rhel8:v6.8.1-108	cpe:/a:redhat:logging:5.1::el8	RHSA-2022:0226	2022-01-20T00:00:00Z
OpenShift Logging 5.2
openshift-logging/kibana6-rhel8:v6.8.1-110	cpe:/a:redhat:logging:5.2::el8	RHSA-2022:0230	2022-01-21T00:00:00Z
OpenShift Logging 5.3
openshift-logging/kibana6-rhel8:v6.8.1-109	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:0227	2022-01-20T00:00:00Z
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
rhacm2/acm-grafana-rhel8:v2.3.0-38	cpe:/a:redhat:acm:2.3::el8	RHSA-2021:3016	2021-08-06T00:00:00Z
Red Hat OpenShift Container Platform 4.8
openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:2438	2021-07-27T00:00:00Z
Red Hat OpenShift Jaeger 1.24
distributed-tracing/jaeger-agent-rhel8:1.24.0-9	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-all-in-one-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-collector-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-es-index-cleaner-rhel8:1.24.0-10	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-es-rollover-rhel8:1.24.0-14	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-ingester-rhel8:1.24.0-8	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-query-rhel8:1.24.0-9	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z
distributed-tracing/jaeger-rhel8-operator:1.24.0-16	cpe:/a:redhat:jaeger:1.24::el8	RHSA-2021:3024	2021-08-09T00:00:00Z

Link	Providers
https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
https://nvd.nist.gov/vuln/detail/CVE-2021-27292
https://www.cve.org/CVERecord?id=CVE-2021-27292

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-18T15:55:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27292", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14", "refsource": "MISC", "url": "https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14"}, {"name": "https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76", "refsource": "MISC", "url": "https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76"}, {"name": "https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566", "refsource": "MISC", "url": "https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:48:16.474Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27292", "datePublished": "2021-03-17T12:34:48", "dateReserved": "2021-02-16T00:00:00", "dateUpdated": "2024-08-03T20:48:16.474Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-03-18T15:55:13 (string)

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@mitre.org (string)

ID : CVE-2021-27292 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 (string)

refsource : MISC (string)

url : https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 (string)

}

1 : { »

name : https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 (string)

refsource : MISC (string)

url : https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 (string)

}

2 : { »

name : https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 (string)

refsource : MISC (string)

url : https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T20:48:16.474Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

cveId : CVE-2021-27292 (string)

datePublished : 2021-03-17T12:34:48 (string)

dateReserved : 2021-02-16T00:00:00 (string)

dateUpdated : 2024-08-03T20:48:16.474Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ua-parser-js_project:ua-parser-js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "983F378E-C74C-489E-A4CC-5499264D3896", "versionEndExcluding": "0.7.24", "versionStartIncluding": "0.7.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time."}, {"lang": "es", "value": "ua-parser-js versiones posteriores incluyendo a 0.7.14, corregido en 0.7.24, usa una expresi\u00f3n regular que es vulnerable a una denegaci\u00f3n de servicio.&#xa0;Si un atacante env\u00eda un encabezado User-Agent malicioso, ua-parser-js se bloquear\u00e1 al procesarlo durante un per\u00edodo de tiempo prolongado"}], "id": "CVE-2021-27292", "lastModified": "2024-11-21T05:57:45.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-17T13:15:15.200", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:ua-parser-js_project:ua-parser-js:*:*:*:*:*:node.js:*:* (string)

matchCriteriaId : 983F378E-C74C-489E-A4CC-5499264D3896 (string)

versionEndExcluding : 0.7.24 (string)

versionStartIncluding : 0.7.14 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. (string)

}

1 : { »

lang : es (string)

value : ua-parser-js versiones posteriores incluyendo a 0.7.14, corregido en 0.7.24, usa una expresión regular que es vulnerable a una denegación de servicio. Si un atacante envía un encabezado User-Agent malicioso, ua-parser-js se bloqueará al procesarlo durante un período de tiempo prolongado (string)

}

]

id : CVE-2021-27292 (string)

lastModified : 2024-11-21T05:57:45.830 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 5 (number)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:N/C:N/I:N/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-03-17T13:15:15.200 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

]

url : https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 (string)

}

1 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 (string)

}

2 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

]

url : https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : NVD-CWE-Other (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"affected_release": [{"advisory": "RHSA-2022:0226", "cpe": "cpe:/a:redhat:logging:5.1::el8", "impact": "low", "package": "openshift-logging/kibana6-rhel8:v6.8.1-108", "product_name": "OpenShift Logging 5.1", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0230", "cpe": "cpe:/a:redhat:logging:5.2::el8", "impact": "low", "package": "openshift-logging/kibana6-rhel8:v6.8.1-110", "product_name": "OpenShift Logging 5.2", "release_date": "2022-01-21T00:00:00Z"}, {"advisory": "RHSA-2022:0227", "cpe": "cpe:/a:redhat:logging:5.3::el8", "impact": "low", "package": "openshift-logging/kibana6-rhel8:v6.8.1-109", "product_name": "OpenShift Logging 5.3", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2021:3016", "cpe": "cpe:/a:redhat:acm:2.3::el8", "impact": "low", "package": "rhacm2/acm-grafana-rhel8:v2.3.0-38", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-08-06T00:00:00Z"}, {"advisory": "RHSA-2021:2438", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "impact": "low", "package": "openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-07-27T00:00:00Z"}, {"advisory": "RHSA-2021:3024", "cpe": "cpe:/a:redhat:jaeger:1.24::el8", "impact": "low", "package": "distributed-tracing/jaeger-agent-rhel8:1.24.0-9", "product_name": "Red Hat OpenShift Jaeger 1.24", "release_date": "2021-08-09T00:00:00Z"}, {"advisory": "RHSA-2021:3024", "cpe": "cpe:/a:redhat:jaeger:1.24::el8", "impact": "low", "package": "distributed-tracing/jaeger-all-in-one-rhel8:1.24.0-8", "product_name": "Red Hat OpenShift Jaeger 1.24", "release_date": "2021-08-09T00:00:00Z"}, {"advisory": "RHSA-2021:3024", "cpe": "cpe:/a:redhat:jaeger:1.24::el8", "impact": "low", "package": "distributed-tracing/jaeger-collector-rhel8:1.24.0-8", "product_name": "Red Hat OpenShift Jaeger 1.24", "release_date": "2021-08-09T00:00:00Z"}, {"advisory": "RHSA-2021:3024", "cpe": "cpe:/a:redhat:jaeger:1.24::el8", "impact": "low", "package": "distributed-tracing/jaeger-es-index-cleaner-rhel8:1.24.0-10", "product_name": "Red Hat OpenShift Jaeger 1.24", "release_date": "2021-08-09T00:00:00Z"}, {"advisory": "RHSA-2021:3024", "cpe": "cpe:/a:redhat:jaeger:1.24::el8", "impact": "low", "package": "distributed-tracing/jaeger-es-rollover-rhel8:1.24.0-14", "product_name": "Red Hat OpenShift Jaeger 1.24", "release_date": "2021-08-09T00:00:00Z"}, {"advisory": "RHSA-2021:3024", "cpe": "cpe:/a:redhat:jaeger:1.24::el8", "impact": "low", "package": "distributed-tracing/jaeger-ingester-rhel8:1.24.0-8", "product_name": "Red Hat OpenShift Jaeger 1.24", "release_date": "2021-08-09T00:00:00Z"}, {"advisory": "RHSA-2021:3024", "cpe": "cpe:/a:redhat:jaeger:1.24::el8", "impact": "low", "package": "distributed-tracing/jaeger-query-rhel8:1.24.0-9", "product_name": "Red Hat OpenShift Jaeger 1.24", "release_date": "2021-08-09T00:00:00Z"}, {"advisory": "RHSA-2021:3024", "cpe": "cpe:/a:redhat:jaeger:1.24::el8", "impact": "low", "package": "distributed-tracing/jaeger-rhel8-operator:1.24.0-16", "product_name": "Red Hat OpenShift Jaeger 1.24", "release_date": "2021-08-09T00:00:00Z"}], "bugzilla": {"description": "nodejs-ua-parser-js: ReDoS via malicious User-Agent header", "id": "1940613", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1940613"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.", "A regular expression denial of service (ReDoS) vulnerability was found in the npm library `ua-parser-js`. If a supplied user agent matches the `Noble` string and contains many spaces then the regex will conduct backtracking, taking an ever increasing amount of time depending on the number of spaces supplied. An attacker can use this vulnerability to potentially craft a malicious user agent resulting in a denial of service."], "name": "CVE-2021-27292", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Fix deferred", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "impact": "low", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "impact": "low", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2021-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-27292\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-27292\nhttps://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76"], "statement": "While some components do package a vulnerable version of ua-parser-js, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:\n- OpenShift Container Platform (OCP)\n- OpenShift ServiceMesh (OSSM) \n- Red Hat OpenShift Jaeger (RHOSJ)\n- Red Hat OpenShift Logging\nThe OCP presto-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release.\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships graphql-tools that pulls 0.7.23 version of ua-parser-js that uses the affected code.\n[1] - https://access.redhat.com/solutions/5707561", "threat_severity": "Moderate"}

{

affected_release : [ »

0 : { »

advisory : RHSA-2022:0226 (string)

cpe : cpe:/a:redhat:logging:5.1::el8 (string)

impact : low (string)

package : openshift-logging/kibana6-rhel8:v6.8.1-108 (string)

product_name : OpenShift Logging 5.1 (string)

release_date : 2022-01-20T00:00:00Z (string)

}

1 : { »

advisory : RHSA-2022:0230 (string)

cpe : cpe:/a:redhat:logging:5.2::el8 (string)

impact : low (string)

package : openshift-logging/kibana6-rhel8:v6.8.1-110 (string)

product_name : OpenShift Logging 5.2 (string)

release_date : 2022-01-21T00:00:00Z (string)

}

2 : { »

advisory : RHSA-2022:0227 (string)

cpe : cpe:/a:redhat:logging:5.3::el8 (string)

impact : low (string)

package : openshift-logging/kibana6-rhel8:v6.8.1-109 (string)

product_name : OpenShift Logging 5.3 (string)

release_date : 2022-01-20T00:00:00Z (string)

}

3 : { »

advisory : RHSA-2021:3016 (string)

cpe : cpe:/a:redhat:acm:2.3::el8 (string)

impact : low (string)

package : rhacm2/acm-grafana-rhel8:v2.3.0-38 (string)

product_name : Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 (string)

release_date : 2021-08-06T00:00:00Z (string)

}

4 : { »

advisory : RHSA-2021:2438 (string)

cpe : cpe:/a:redhat:openshift:4.8::el8 (string)

impact : low (string)

package : openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream (string)

product_name : Red Hat OpenShift Container Platform 4.8 (string)

release_date : 2021-07-27T00:00:00Z (string)

}

5 : { »

advisory : RHSA-2021:3024 (string)

cpe : cpe:/a:redhat:jaeger:1.24::el8 (string)

impact : low (string)

package : distributed-tracing/jaeger-agent-rhel8:1.24.0-9 (string)

product_name : Red Hat OpenShift Jaeger 1.24 (string)

release_date : 2021-08-09T00:00:00Z (string)

}

6 : { »

advisory : RHSA-2021:3024 (string)

cpe : cpe:/a:redhat:jaeger:1.24::el8 (string)

impact : low (string)

package : distributed-tracing/jaeger-all-in-one-rhel8:1.24.0-8 (string)

product_name : Red Hat OpenShift Jaeger 1.24 (string)

release_date : 2021-08-09T00:00:00Z (string)

}

7 : { »

advisory : RHSA-2021:3024 (string)

cpe : cpe:/a:redhat:jaeger:1.24::el8 (string)

impact : low (string)

package : distributed-tracing/jaeger-collector-rhel8:1.24.0-8 (string)

product_name : Red Hat OpenShift Jaeger 1.24 (string)

release_date : 2021-08-09T00:00:00Z (string)

}

8 : { »

advisory : RHSA-2021:3024 (string)

cpe : cpe:/a:redhat:jaeger:1.24::el8 (string)

impact : low (string)

package : distributed-tracing/jaeger-es-index-cleaner-rhel8:1.24.0-10 (string)

product_name : Red Hat OpenShift Jaeger 1.24 (string)

release_date : 2021-08-09T00:00:00Z (string)

}

9 : { »

advisory : RHSA-2021:3024 (string)

cpe : cpe:/a:redhat:jaeger:1.24::el8 (string)

impact : low (string)

package : distributed-tracing/jaeger-es-rollover-rhel8:1.24.0-14 (string)

product_name : Red Hat OpenShift Jaeger 1.24 (string)

release_date : 2021-08-09T00:00:00Z (string)

}

10 : { »

advisory : RHSA-2021:3024 (string)

cpe : cpe:/a:redhat:jaeger:1.24::el8 (string)

impact : low (string)

package : distributed-tracing/jaeger-ingester-rhel8:1.24.0-8 (string)

product_name : Red Hat OpenShift Jaeger 1.24 (string)

release_date : 2021-08-09T00:00:00Z (string)

}

11 : { »

advisory : RHSA-2021:3024 (string)

cpe : cpe:/a:redhat:jaeger:1.24::el8 (string)

impact : low (string)

package : distributed-tracing/jaeger-query-rhel8:1.24.0-9 (string)

product_name : Red Hat OpenShift Jaeger 1.24 (string)

release_date : 2021-08-09T00:00:00Z (string)

}

12 : { »

advisory : RHSA-2021:3024 (string)

cpe : cpe:/a:redhat:jaeger:1.24::el8 (string)

impact : low (string)

package : distributed-tracing/jaeger-rhel8-operator:1.24.0-16 (string)

product_name : Red Hat OpenShift Jaeger 1.24 (string)

release_date : 2021-08-09T00:00:00Z (string)

}

]

bugzilla : { »

description : nodejs-ua-parser-js: ReDoS via malicious User-Agent header (string)

id : 1940613 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=1940613 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.5 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

status : verified (string)

}

cwe : CWE-400 (string)

details : [ »

0 : ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. (string)

1 : A regular expression denial of service (ReDoS) vulnerability was found in the npm library `ua-parser-js`. If a supplied user agent matches the `Noble` string and contains many spaces then the regex will conduct backtracking, taking an ever increasing amount of time depending on the number of spaces supplied. An attacker can use this vulnerability to potentially craft a malicious user agent resulting in a denial of service. (string)

]

name : CVE-2021-27292 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:service_mesh:2.0 (string)

fix_state : Will not fix (string)

package_name : servicemesh-grafana (string)

product_name : OpenShift Service Mesh 2.0 (string)

}

1 : { »

cpe : cpe:/a:redhat:service_mesh:2.0 (string)

fix_state : Will not fix (string)

package_name : servicemesh-prometheus (string)

product_name : OpenShift Service Mesh 2.0 (string)

}

2 : { »

cpe : cpe:/a:redhat:ceph_storage:2 (string)

fix_state : Out of support scope (string)

package_name : grafana (string)

product_name : Red Hat Ceph Storage 2 (string)

}

3 : { »

cpe : cpe:/a:redhat:ceph_storage:3 (string)

fix_state : Not affected (string)

package_name : grafana (string)

product_name : Red Hat Ceph Storage 3 (string)

}

4 : { »

cpe : cpe:/a:redhat:ceph_storage:3 (string)

fix_state : Not affected (string)

package_name : grafana-container (string)

product_name : Red Hat Ceph Storage 3 (string)

}

5 : { »

cpe : cpe:/a:redhat:ceph_storage:4 (string)

fix_state : Not affected (string)

package_name : rhceph/rhceph-4-dashboard-rhel8 (string)

product_name : Red Hat Ceph Storage 4 (string)

}

6 : { »

cpe : cpe:/a:redhat:openshift:3.11 (string)

fix_state : Fix deferred (string)

impact : low (string)

package_name : kibana (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

}

7 : { »

cpe : cpe:/a:redhat:openshift:3.11 (string)

fix_state : Not affected (string)

impact : low (string)

package_name : openshift3/grafana (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

}

8 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Fix deferred (string)

impact : low (string)

package_name : openshift4/ose-grafana (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

9 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Fix deferred (string)

impact : low (string)

package_name : openshift4/ose-logging-kibana6 (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

10 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Out of support scope (string)

impact : low (string)

package_name : openshift4/ose-metering-presto (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

11 : { »

cpe : cpe:/a:redhat:storage:3 (string)

fix_state : Affected (string)

package_name : grafana (string)

product_name : Red Hat Storage 3 (string)

}

]

public_date : 2021-02-11T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2021-27292 https://nvd.nist.gov/vuln/detail/CVE-2021-27292 https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 (string)

]

statement : While some components do package a vulnerable version of ua-parser-js, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products: - OpenShift Container Platform (OCP) - OpenShift ServiceMesh (OSSM) - Red Hat OpenShift Jaeger (RHOSJ) - Red Hat OpenShift Logging The OCP presto-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release. Red Hat Advanced Cluster Management for Kubernetes (RHACM) ships graphql-tools that pulls 0.7.23 version of ua-parser-js that uses the affected code. [1] - https://access.redhat.com/solutions/5707561 (string)

threat_severity : Moderate (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object