#js

### Impact Possible ReDoS with lib input of `{{` and with many repetitions of `{{|`. ### Patches Patched in all versions above `0.2.5` ### Workarounds No known work arounds. ### References - OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) - Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS). - Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity). - James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf). - Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html). - Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).

Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests.

Red Hat OpenShift Service Mesh 2.2.2 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30630: golang: io/fs: stack exhaustion in Glob * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30633: golang: encoding/xml: stack exhaustion in Unmarshal * CVE-2022-30635: golang: encoding/gob: stack...

Red Hat OpenShift Service Mesh 2.1.5 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group * CVE-2022-30629: golang: crypto/tls: session t...

Red Hat Security Advisory 2022-6248-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include an information leakage vulnerability.

Red Hat OpenShift Container Platform release 4.9.47 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: go...

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far back as v1.0.1 and potentially earlier) used a cryptographically insecure Pseudo-random number generator (`Math.random()`), which meant that a specially crafted script combined with multiple invocations of the password reset functionality could enable an attacker to correctly calculate the reset code for an account they do not have access to. This vulnerability impacts all installations of NodeBB. The vulnerability allows for an attacker to take over any account without the involvement of the victim, and as such, the remediation should be applied immediately (either via NodeBB upgrade or cherry-pick of the specific changeset. The vulnerability has been patched in version 2.x and 1.19.x. There is no known workar...

An update is now available for Red Hat OpenShift Service Mesh 2.0.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS

Exploit involved duping developers into exposing repositories with social engineering techniques