CVE-2022-25758 - Vulnerability Details - OpenCVE

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00467.

Key SSVC decision points have not yet been added.

Vendors	Products
Scss-tokenizer Project	Scss-tokenizer

Configuration 1 [-]

cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:*:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-6284	All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
Github GHSA	GHSA-7mwh-4pqv-wmr8	Regular expression denial of service in scss-tokenizer

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/sasstools/scss-tokenizer/issues/45
https://github.com/sasstools/scss-tokenizer/issues/48
https://nvd.nist.gov/vuln/detail/CVE-2022-25758
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782
https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
https://www.cve.org/CVERecord?id=CVE-2022-25758

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-07-01T20:01:14.328186Z

Updated: 2024-09-17T01:06:29.282Z

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-25758

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-07-01T20:15:07.847

Modified: 2024-11-21T06:52:56.980

Link: CVE-2022-25758

Redhat

Severity : Moderate

Publid Date: 2022-07-01T00:00:00Z

Links: CVE-2022-25758 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "scss-tokenizer", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Paul Bastide"}], "datePublic": "2022-07-01T00:00:00", "descriptions": [{"lang": "en", "value": "All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Regular Expression Denial of Service (ReDoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-01T20:01:14", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sasstools/scss-tokenizer/issues/45"}], "title": "Regular Expression Denial of Service (ReDoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-07-01T20:00:06.707114Z", "ID": "CVE-2022-25758", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service (ReDoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "scss-tokenizer", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Paul Bastide"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Regular Expression Denial of Service (ReDoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782"}, {"name": "https://github.com/sasstools/scss-tokenizer/issues/45", "refsource": "MISC", "url": "https://github.com/sasstools/scss-tokenizer/issues/45"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:43.167Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sasstools/scss-tokenizer/issues/45"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25758", "datePublished": "2022-07-01T20:01:14.328186Z", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2024-09-17T01:06:29.282Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "341E73F1-2D99-4B4E-8497-A126A3FA9F1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex."}, {"lang": "es", "value": "Todas las versiones del paquete scss-tokenizer son vulnerables a la Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular (ReDoS) por medio de la funci\u00f3n loadAnnotation(), debido al uso de regex no seguro"}], "id": "CVE-2022-25758", "lastModified": "2024-11-21T06:52:56.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-01T20:15:07.847", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/sasstools/scss-tokenizer/issues/45"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/sasstools/scss-tokenizer/issues/45"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "scss-tokenizer: Regular expression denial of service in scss-tokenizer", "id": "2114794", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2114794"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1333", "details": ["All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.", "A flaw was found in the scss-tokenizer package. Affected versions of this package are vulnerable to a regular expression denial of service (ReDoS) attacks."], "name": "CVE-2022-25758", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Will not fix", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Will not fix", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/application-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/grc-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "cockpit-ceph-installer", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "scss-tokenizer", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "389-ds:1.4/389-ds-base", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "cockpit-podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "scss-tokenizer", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/ose-console", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-console-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "scss-tokenizer", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-rubygem-rabl", "product_name": "Red Hat Satellite 6"}], "public_date": "2022-07-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-25758\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25758\nhttps://github.com/sasstools/scss-tokenizer/issues/48"], "statement": "In OpenShift Service Mesh (OSSM) the vulnerable scss-tokenizer nodejs package is shipped in openshift-service-mesh/kiali-rhel8 and openshift-service-mesh/grafana-rhel8 container images.\nIn the openshift-service-mesh/grafana-rhel8, the scss-tokenizer nodejs package is shipped as a part of the grafana rpm package, which is consumed from Red Hat Enterprise Linux (RHEL) repositories starting from OSSM 2.0.9 version. Once this vulnerability will be fixed in RHEL product, fixed version of grafana package will be consumed by OSSM and delivered in the next OSSM releases. In older versions than OSSM 2.0.9 the openshift-service-mesh/grafana-rhel8 container contains servicemesh-grafana rpm package from OSSM repositories and these versions are not supported anymore, hence the servicemesh-grafana rpm package is listed as affected with \"Will not fix\" state.\nIn OSSM openshift-service-mesh/kiali-rhel8 container image, the scss-tokenizer nodejs package is only listed as a development dependency, without impact to the runtime environment, hence is marked as \"Will not fix\".", "threat_severity": "Moderate"}