Security Bulletin: IBM Data Product Hub uses Node.js micromatch & braces modules which are vulnerable to a denial of service (CVE-2024-4067 & CVE-2024-4068)

Summary

IBM Data Product Hub has dependencies on Node.js micromatch & braces modules which are vulnerable to a denial of service (CVE-2024-4067 & CVE-2024-4068). This bulletin contains information regarding the vulnerabilities and their fixture.

Vulnerability Details

CVEID:CVE-2024-4068
**DESCRIPTION:**Node.js braces module is vulnerable to a denial of service, caused by the failure to limit the number of characters it can handle. leading to a memory exhaustion in lib/parse.js. By sending imbalanced braces as input, the parsing will enter a loop causing the JavaScript heap limit to be reached, and the program will crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290675 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-4067
**DESCRIPTION:**Node.js micromatch module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in micromatch.braces() in index.js. By sending a specially crafted payload, a remote attacker could exploit this vulnerability to increase the consumption time until the application hangs or slows down.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
IBM Data Product Hub| 5.0.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Affected Product(s)|**Fixed in Version(s)
**
—|—
IBM Data Product Hub| 5.0.1 or latest

Workarounds and Mitigations

None