CVE-2022-37603 (High) detected in loader-utils-2.0.3

[jovancacvetkovic]

CVE-2022-46175 - High Severity Vulnerability

Vulnerability Library - loader-utils - 2.0.3

loader-utils - 2.0.3 (current version)
Found in base branch: main

CVSS 3 Score Details - (7.5)

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: Oct 6, 2022

Fix Resolution: loader-utils - 2.0.4

More Info

loader-utils issue resolved with #213

[ananzh]

CVE-2022-37603 and CVE-2022-37599 Analysis

• CVE-2022-37603

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable

Github Issue: #2612

• CVE-2022-37599

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

Github issue: #2560

• 2.5 has loader-util version 2.0.3

We did bump it to 2.0.3 in this PR (backport PR to 2.x):
#2706

ubuntu@ip-172-31-55-237:~/OpenSearch-Dashboards$ yarn why loader-utils
yarn why v1.22.19
[1/4] Why do we have the module "loader-utils"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "loader-utils@2.0.3"
info Reasons this module exists
   - "_project_#@osd#ui-shared-deps" depends on it
   - Hoisted from "_project_#@osd#ui-shared-deps#loader-utils"
   - Hoisted from "_project_#@osd#optimizer#loader-utils"
   - Hoisted from "_project_#@osd#pm#string-replace-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#url-loader#loader-utils"
   - Hoisted from "_project_#@osd#ace#webpack#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#babel-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#copy-webpack-plugin#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#css-loader#loader-utils"
   - Hoisted from "_project_#@osd#optimizer#file-loader#loader-utils"
   - Hoisted from "_project_#@osd#ui-shared-deps#mini-css-extract-plugin#loader-utils"
   - Hoisted from "_project_#@osd#optimizer#postcss-loader#loader-utils"
   - Hoisted from "_project_#@osd#ace#raw-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#sass-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#style-loader#loader-utils"
   - Hoisted from "_project_#@osd#ui-shared-deps#val-loader#loader-utils"
info Disk size without dependencies: "396KB"
info Disk size with unique dependencies: "648KB"
info Disk size with transitive dependencies: "752KB"
info Number of shared dependencies: 4
Done in 0.99s.

• main has loader-util version 2.0.4

We bump the version to 2.0.4 in this PR:
#3031
But it does not backport to 2.x and 2.5.

Fixes and action item:

• Affected versions and patched versions

Affected versions    Patched versions
>= 1.0.0, < 1.4.2      1.4.2
>= 2.0.0, < 2.0.4      2.0.4
>= 3.0.0, < 3.2.1      3.2.1

• Action item

2.0.4 is the target version. We did bump the version to 2.0.4 in this PR in main:
#3031
But it does not backport to 2.x and 2.5. Will check with @ZilongX why this fix has not been backported.

If there is no breaking changes, we will backport the PR to bump the version.

[ananzh]

Currently only 2.x is using 2.0.3

ubuntu@ip-172-31-55-237:~/OpenSearch-Dashboards$ yarn why loader-utils
yarn why v1.22.19
[1/4] Why do we have the module "loader-utils"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "loader-utils@2.0.3"
info Reasons this module exists
   - "_project_#@osd#ui-shared-deps" depends on it
   - Hoisted from "_project_#@osd#ui-shared-deps#loader-utils"
   - Hoisted from "_project_#@osd#optimizer#loader-utils"
   - Hoisted from "_project_#@osd#pm#string-replace-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#url-loader#loader-utils"
   - Hoisted from "_project_#@osd#ace#webpack#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#babel-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#copy-webpack-plugin#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#css-loader#loader-utils"
   - Hoisted from "_project_#@osd#optimizer#file-loader#loader-utils"
   - Hoisted from "_project_#@osd#ui-shared-deps#mini-css-extract-plugin#loader-utils"
   - Hoisted from "_project_#@osd#optimizer#postcss-loader#loader-utils"
   - Hoisted from "_project_#@osd#ace#raw-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#sass-loader#loader-utils"
   - Hoisted from "_project_#@osd#interpreter#style-loader#loader-utils"
   - Hoisted from "_project_#@osd#ui-shared-deps#val-loader#loader-utils"
info Disk size without dependencies: "384KB"
info Disk size with unique dependencies: "648KB"
info Disk size with transitive dependencies: "752KB"
info Number of shared dependencies: 4
Done in 0.92s.

[ananzh]

We will backport to 2.x and 2.5

[ananzh]

2.x fix: #3318
2.5 fix: #3319 (need 2.5.1 release)