{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-21T15:45:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/color-string"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-29060", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js", "refsource": "MISC", "url": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js"}, {"name": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3", "refsource": "MISC", "url": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3"}, {"name": "https://www.npmjs.com/package/color-string", "refsource": "MISC", "url": "https://www.npmjs.com/package/color-string"}, {"name": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md", "refsource": "MISC", "url": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:55:12.637Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/color-string"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-29060", "datePublished": "2021-06-21T15:45:53", "dateReserved": "2021-03-22T00:00:00", "dateUpdated": "2024-08-03T21:55:12.637Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color-string_project:color-string:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D2BCC158-C090-46D8-AC7A-9BB2888A36AA", "versionEndExcluding": "1.5.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de Expresi\u00f3n Regular de Denegaci\u00f3n de Servicio (ReDOS) en Color-String versi\u00f3n 1.5.5 y por debajo, que ocurre cuando la aplicaci\u00f3n es proporcionada y comprueba una cadena HWB no v\u00e1lida dise\u00f1ada"}], "id": "CVE-2021-29060", "lastModified": "2021-07-01T14:57:22.333", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-21T16:15:08.113", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/yetingli/SaveResults/blob/main/js/color-string.js"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.npmjs.com/package/color-string"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs-color-string: Regular expression denial of service when the application is provided and checks a crafted invalid HWB string", "id": "1974848", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974848"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.", "A Regular Expression Denial of Service (ReDOS) vulnerability was found in Color-String, which occurs when the application is provided and checks a crafted invalid HWB string. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-29060", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "impact": "low", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "impact": "low", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "impact": "low", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "ovirt-engine-ui-extensions", "product_name": "Red Hat Virtualization 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "ovirt-web-ui", "product_name": "Red Hat Virtualization 4"}], "public_date": "2021-06-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-29060\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-29060\nhttps://snyk.io/vuln/SNYK-JS-COLORSTRING-1082939"], "statement": "OpenShift Service Mesh 1.1.x is in its maintenance phase, only Important and Critical vulnerabilities will be fixed at this time.\nIn OpenShift Container Platform (OCP) and OpenShift Service Mesh (OSSM) some components include the vulnerable color-string library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\nStarting in OCP 4.7, the kibana component is shipping as \"container first\" content and as a part of the OpenShift Logging product (openshift-logging/kibana6-rhel8) and is not affected by this vulnerability. The kibana components delivered in OCP 4.6 and earlier are marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) all containers are using the 1.5.5 fixed version, hence not RHACM version is affected by this flaw.\nIn Red Hat Virtualization a vulnerable version of color-string is used in ovirt-web-ui and ovirt-engine-ui-extensions. It is a build-time dependency not exploitable in the delivered product. Therefore impact is rated Low and it will not be immediately fixed. An update may be provided in future releases.", "threat_severity": "Moderate", "upstream_fix": "color-string 1.5.5"}