Candidate: CVE-2018-7158
PublicDate: 2018-05-17 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7158
Description:
 The `'path'` module in the Node.js 4.x release line contains a potential
 regular expression denial of service (ReDoS) vector. The code in question
 was replaced in Node.js 6.x and later so this vulnerability only impacts
 all versions of Node.js 4.x. The regular expression, `splitPathRe`, used
 within the `'path'` module for the various path parsing functions,
 including `path.dirname()`, `path.extname()` and `path.parse()` was
 structured in such a way as to allow an attacker to craft a string, that
 when passed through one of these functions, could take a significant amount
 of time to evaluate, potentially leading to a full denial of service.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_nodejs:
upstream_nodejs: released (6.0.0~dfsg-1)
precise/esm_nodejs: DNE
trusty_nodejs: ignored (out of standard support)
trusty/esm_nodejs: needed
xenial_nodejs: ignored (end of standard support, was needed)
artful_nodejs: not-affected (6.11.4~dfsg-1ubuntu1)
bionic_nodejs: not-affected (8.10.0~dfsg-2)
cosmic_nodejs: not-affected (8.10.0~dfsg-2)
disco_nodejs: not-affected (8.10.0~dfsg-2)
eoan_nodejs: not-affected (8.10.0~dfsg-2)
focal_nodejs: not-affected (8.10.0~dfsg-2)
groovy_nodejs: not-affected (8.10.0~dfsg-2)
hirsute_nodejs: not-affected (8.10.0~dfsg-2)
impish_nodejs: not-affected (8.10.0~dfsg-2)
jammy_nodejs: not-affected (8.10.0~dfsg-2)
devel_nodejs: not-affected (8.10.0~dfsg-2)