Fluid Attacks Database

Description

glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-glob-parent	>=0 <5.1.1+~5.1.0-2	5.1.1+~5.1.0-2
debian 12	node-glob-parent	>=0 <5.1.1+~5.1.0-2	5.1.1+~5.1.0-2
debian 14	node-glob-parent	>=0 <5.1.1+~5.1.0-2	5.1.1+~5.1.0-2
debian 13	node-glob-parent	>=0 <5.1.1+~5.1.0-2	5.1.1+~5.1.0-2
npm	glob-parent	>=4.0.0 <5.1.2	5.1.2
rpm rhel8.4	nodejs	<1:14.18.2-2.module+el8.4.0+13643+6c0ebf22	1:14.18.2-2.module+el8.4.0+13643+6c0ebf22
rpm rhel9	nodejs-nodemon	<0:2.0.19-1.el9_0	0:2.0.19-1.el9_0
rpm rhel8	nodejs	<1:14.18.2-2.module+el8.5.0+13644+8d46dafd	1:14.18.2-2.module+el8.5.0+13644+8d46dafd
rpm rhel8	nodejs-nodemon	-	-

Aliases

1. CVE-2020-284692. NVD-2020-284693. OSV-DEBIAN-2020-284694. OSV-2020-284695. GCVE-2020-284696. SECURITY-TRACKER-CVE-2020-28469

References

1. https://github.com/gulpjs/glob-parent/pull/362. https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee463. https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e4. https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L95. https://github.com/gulpjs/glob-parent/releases/tag/v5.1.26. https://www.oracle.com/security-alerts/cpujan2022.html