Fix CVE–2022–3517

[debricked]

CVE–2022–3517

Vulnerability details

Description

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

NVD

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

GitHub

minimatch ReDoS vulnerability

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

CVSS details - 7.5

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity	None
Availability	High

References

    NVD - CVE-2022-3517
    minimatch ReDoS vulnerability · CVE-2022-3517 · GitHub Advisory Database · GitHub
    Improve redos protection, add many tests · isaacs/minimatch@a8763f4 · GitHub
    PRISMA-2022-0039 - High vulnerability · Issue #329 · grafana/grafana-image-renderer · GitHub
    Upgrade to npm 8.5.3 in 16.x to alleviate PRISMA-2022-0039 · Issue #42510 · nodejs/node · GitHub
    [SECURITY] Fedora 36 Update: yarnpkg-1.22.19-3.fc36 - package-announce - Fedora Mailing-Lists
    [SECURITY] [DLA 3271-1] node-minimatch security update
    [SECURITY] Fedora 37 Update: yarnpkg-1.22.19-3.fc37 - package-announce - Fedora Mailing-Lists

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE