CVE-2024-4068: Memory Exhaustion in braces
First published: Mon May 13 2024(Updated: )
Node.js braces module is vulnerable to a denial of service, caused by the failure to limit the number of characters it can handle. leading to a memory exhaustion in lib/parse.js. By sending imbalanced braces as input, the parsing will enter a loop causing the JavaScript heap limit to be reached, and the program will crash.
Credit: 596c5446-0ce5-4ba2-aa66-48b3b757a647 596c5446-0ce5-4ba2-aa66-48b3b757a647
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/braces | <3.0.3 | 3.0.3 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Remedy
Update to version 3.0.3 to mitigate the issue.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2024-4068
- https://github.com/micromatch/braces/issues/35
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068
- https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308
- https://github.com/micromatch/braces/pull/37
- https://github.com/micromatch/braces/pull/40
- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
- https://github.com/advisories/GHSA-grv7-fg5c-xmjg (Advisory)
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280611
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280615
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280616
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280617
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280618
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280610
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280612
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280619
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280620
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280621
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280622
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280623
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280624
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280625
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280626
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280627
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280628
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280629
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280613
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280630
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280614
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2280631
- https://access.redhat.com/errata/RHSA-2024:7164
- https://access.redhat.com/errata/RHSA-2024:8077
- https://access.redhat.com/errata/RHSA-2024:8076
- https://access.redhat.com/errata/RHSA-2024:8075
- https://access.redhat.com/errata/RHSA-2024:8080
- https://access.redhat.com/errata/RHSA-2024:4464
- https://access.redhat.com/errata/RHBA-2024:3593
- https://access.redhat.com/errata/RHBA-2024:2862
- https://access.redhat.com/errata/RHBA-2024:3555
- https://access.redhat.com/errata/RHSA-2024:11023
- https://bugzilla.redhat.com/show_bug.cgi?id=2280600
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-4068?
CVE-2024-4068 has a high severity rating due to its potential for denial of service through memory exhaustion.
How do I fix CVE-2024-4068?
To fix CVE-2024-4068, upgrade the braces package to version 3.0.3 or apply relevant patches for affected IBM products.
What causes CVE-2024-4068?
CVE-2024-4068 is caused by the inability of the braces module to limit the number of characters in input, leading to infinite loops and memory issues.
Which software is affected by CVE-2024-4068?
CVE-2024-4068 affects the braces module in Node.js and IBM Cognos Analytics versions up to 12.0.3 and 11.2.4 FP4.
Is CVE-2024-4068 exploitable remotely?
Yes, CVE-2024-4068 can be exploited remotely if an attacker can send specially crafted imbalanced braces as input.
- agent/title
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/author
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-grv7-fg5c-xmjg
- alias/CVE-2024-4068
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- collector/ibm-support
- source/IBM
- agent/references
- agent/severity
- agent/softwarecombine
- agent/event
- agent/trending
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- agent/source
- package-manager/npm
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4