Candidate: CVE-2021-23362
PublicDate: 2021-03-23 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23362
 https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356
 https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
Description:
 The package hosted-git-info before 3.0.8 are vulnerable to Regular
 Expression Denial of Service (ReDoS) via regular expression shortcutMatch
 in the fromUrl function in index.js. The affected regular expression
 exhibits polynomial worst-case time complexity.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: pfsmorigo
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]


Patches_node-hosted-git-info:
 upstream: https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
upstream_node-hosted-git-info: released (3.0.8-1)
precise/esm_node-hosted-git-info: DNE
trusty_node-hosted-git-info: ignored (out of standard support)
trusty/esm_node-hosted-git-info: DNE
xenial_node-hosted-git-info: DNE
bionic_node-hosted-git-info: needs-triage
focal_node-hosted-git-info: needs-triage
groovy_node-hosted-git-info: ignored (reached end-of-life)
hirsute_node-hosted-git-info: not-affected (3.0.8-1)
impish_node-hosted-git-info: not-affected (3.0.8-1)
jammy_node-hosted-git-info: not-affected (3.0.8-1)
devel_node-hosted-git-info: not-affected (3.0.8-1)