Upstream information

CVE-2024-45296 at MITRE

Description

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
  CNA (GitHub)
Base Score 7.5
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact High
CVSSv3 Version 3.1
No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • argocd-cli >= 2.12.4-1.1
  • argocd-cli-bash-completion >= 2.12.4-1.1
  • argocd-cli-zsh-completion >= 2.12.4-1.1
Patchnames:
openSUSE-Tumbleweed-2024-14374


SUSE Timeline for this CVE

CVE page created: Mon Sep 9 22:00:21 2024
CVE page last modified: Mon Oct 14 19:56:21 2024