CVE-2020-28469: Regular Expression Denial of Service (ReDoS)
First published: Tue Jan 12 2021(Updated: )
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs-nodemon | <0:2.0.19-1.el9_0 | 0:2.0.19-1.el9_0 |
| redhat/rh-nodejs14-nodejs-nodemon | <0:2.0.3-5.el7 | 0:2.0.3-5.el7 |
| redhat/rh-nodejs12-nodejs | <0:12.22.5-1.el7 | 0:12.22.5-1.el7 |
| redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-5.el7 | 0:2.0.3-5.el7 |
| redhat/ovirt-engine-ui-extensions | <0:1.2.7-1.el8e | 0:1.2.7-1.el8e |
| redhat/ovirt-web-ui | <0:1.7.2-1.el8e | 0:1.7.2-1.el8e |
| redhat/nodejs-glob-parent | <5.1.2 | 5.1.2 |
| Gulpjs Glob-parent | <5.1.2 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| npm/glob-parent | >=4.0.0<5.1.2 | 5.1.2 |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-28469 https://nvd.nist.gov/vuln/detail/CVE-2020-28469 https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://bugzilla.redhat.com/show_bug.cgi?id=1945459
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/errata/RHSA-2021:5171
- https://access.redhat.com/errata/RHSA-2022:0350
- https://access.redhat.com/errata/RHSA-2022:0246
- https://access.redhat.com/errata/RHSA-2022:6595
- https://access.redhat.com/errata/RHSA-2021:2438
- https://access.redhat.com/errata/RHSA-2021:3280
- https://access.redhat.com/errata/RHSA-2021:3281
- https://access.redhat.com/errata/RHSA-2021:2865
- https://access.redhat.com/errata/RHSA-2021:4626
- https://access.redhat.com/security/cve/cve-2020-28469
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1945464
- https://access.redhat.com/errata/RHSA-2021:1499
- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9
- https://github.com/gulpjs/glob-parent/pull/36
- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-28469
- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46
- https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e
- https://github.com/advisories/GHSA-ww39-953v-wcq6 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/196451
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-28469?
CVE-2020-28469 is a vulnerability in the package glob-parent before version 5.1.2. It is susceptible to Regular Expression Denial of Service (ReDoS) attacks.
How does CVE-2020-28469 impact the nodejs-glob-parent package?
CVE-2020-28469 allows an attacker to cause a denial of service by supplying a malicious string to the glob-parent function.
What is the severity of CVE-2020-28469?
CVE-2020-28469 has a severity rating of 7.5 (high).
How can I fix CVE-2020-28469?
To fix CVE-2020-28469, update the glob-parent package to version 5.1.2 or higher.
Where can I find more information about CVE-2020-28469?
You can find more information about CVE-2020-28469 at the following references: [CVE-2020-28469](https://www.cve.org/CVERecord?id=CVE-2020-28469), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-28469), [Snyk](https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1945459), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2021:3016).
- collector/redhat-cve
- agent/author
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-28469
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-ww39-953v-wcq6
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/references
- agent/softwarecombine
- agent/title
- agent/severity
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- package-manager/redhat
- vendor/gulpjs
- canonical/gulpjs glob-parent
- vendor/oracle
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- package-manager/npm
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0