{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21538", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.123Z", "datePublished": "2024-11-08T05:00:04.695Z", "dateUpdated": "2025-05-20T14:38:35.942Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"}}], "credits": [{"value": "Rongchen Li", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "Regular Expression Denial of Service (ReDoS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2025-05-19T03:13:17.431Z"}, "descriptions": [{"value": "Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349"}, {"url": "https://github.com/moxystudio/node-cross-spawn/pull/160"}, {"url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"}, {"url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"}], "affected": [{"product": "cross-spawn", "versions": [{"version": "0", "lessThan": "6.0.6", "status": "affected", "versionType": "semver"}, {"version": "7.0.0", "lessThan": "7.0.5", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}, {"product": "org.webjars.npm:cross-spawn", "versions": [{"version": "0", "lessThan": "7.0.6", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1333", "lang": "en", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "affected": [{"vendor": "cross-spawn", "product": "cross-spawn", "cpes": ["cpe:2.3:a:cross-spawn:cross-spawn:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "7.0.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-08T14:54:27.777922Z", "id": "CVE-2024-21538", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T14:38:35.942Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21538", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-08T14:54:27.777922Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cross-spawn:cross-spawn:*:*:*:*:*:*:*:*"], "vendor": "cross-spawn", "product": "cross-spawn", "versions": [{"status": "affected", "version": "0", "lessThan": "7.0.5", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-08T14:56:53.940Z"}}], "cna": {"credits": [{"lang": "en", "value": "Rongchen Li"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "NONE"}, "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "cross-spawn", "versions": [{"status": "affected", "version": "0", "lessThan": "6.0.6", "versionType": "semver"}, {"status": "affected", "version": "7.0.0", "lessThan": "7.0.5", "versionType": "semver"}]}, {"vendor": "n/a", "product": "org.webjars.npm:cross-spawn", "versions": [{"status": "affected", "version": "0", "lessThan": "7.0.6", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349"}, {"url": "https://github.com/moxystudio/node-cross-spawn/pull/160"}, {"url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"}, {"url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"}], "descriptions": [{"lang": "en", "value": "Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1333", "description": "Regular Expression Denial of Service (ReDoS)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2025-05-19T03:13:17.431Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21538", "state": "PUBLISHED", "dateUpdated": "2025-05-20T14:38:35.942Z", "dateReserved": "2023-12-22T12:33:20.123Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-11-08T05:00:04.695Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string."}, {"lang": "es", "value": "Las versiones del paquete cross-spawn anteriores a la 7.0.5 son vulnerables a la denegaci\u00f3n de servicio por expresi\u00f3n regular (ReDoS) debido a una desinfecci\u00f3n de entrada incorrecta. Un atacante puede aumentar el uso de la CPU y hacer que el programa se bloquee manipulando una cadena muy grande y bien manipulada."}], "id": "CVE-2024-21538", "lastModified": "2025-05-20T15:16:03.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-11-08T05:15:06.453", "references": [{"source": "report@snyk.io", "url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"}, {"source": "report@snyk.io", "url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"}, {"source": "report@snyk.io", "url": "https://github.com/moxystudio/node-cross-spawn/pull/160"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1249", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-server-rhel9:1.12.0-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-10T00:00:00Z"}, {"advisory": "RHSA-2025:1249", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-ui-rhel9:1.12.0-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-10T00:00:00Z"}, {"advisory": "RHSA-2024:10665", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.4.7-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:10186", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.5.5-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-11-22T00:00:00Z"}, {"advisory": "RHBA-2024:10760", "cpe": "cpe:/a:redhat:rhdh:1.3::el9", "package": "rhdh/rhdh-hub-rhel9:1.3-131", "product_name": "Red Hat Developer Hub 1.3 on RHEL 9", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2025:8510", "cpe": "cpe:/a:redhat:rhmt:1.8::el8", "package": "rhmtc/openshift-migration-ui-rhel8:v1.8.7-2", "product_name": "Red Hat Migration Toolkit for Containers 1.8", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2024:11031", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "package": "openshift4/ose-monitoring-plugin-rhel8:v4.14.0-202412040905.p0.g4fa7043.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2024-12-19T00:00:00Z"}, {"advisory": "RHSA-2024:10839", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift4/ose-monitoring-plugin-rhel8:v4.15.0-202412041605.p0.g1217bc1.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10823", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-monitoring-plugin-rhel9:v4.16.0-202412040032.p0.g6cfc2c8.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10518", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-monitoring-plugin-rhel9:v4.17.0-202411261404.p0.gad057d3.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10518", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-networking-console-plugin-rhel9:v4.17.0-202411261204.p0.gfa9e6b0.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2025:0875", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/nmstate-console-plugin-rhel9:v4.17.0-202501301204.p0.gcffdc60.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-05T00:00:00Z"}, {"advisory": "RHSA-2025:0892", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/code-rhel9:3.18-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0892", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/dashboard-rhel9:3.18-10", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2024:10907", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/grafana-rhel8:2.4.13-2", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10907", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.4.13-2", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10907", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/kiali-rhel8:1.65.18-1", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10907", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/pilot-rhel8:2.4.13-2", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10907", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.4.13-4", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10907", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.4.13-2", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10908", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-ossmc-rhel8:1.73.16-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10908", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8:1.73.17-1", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2025:8551", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.14::el9", "package": "odf4/ocs-client-console-rhel9:v4.14.18-2", "product_name": "RHODF-4.14-RHEL-9", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8551", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.14::el9", "package": "odf4/odf-console-rhel9:v4.14.18-3", "product_name": "RHODF-4.14-RHEL-9", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8551", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.14::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.14.18-2", "product_name": "RHODF-4.14-RHEL-9", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:0164", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/mcg-core-rhel9:v4.15.9-1", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2025-01-09T00:00:00Z"}, {"advisory": "RHSA-2025:8544", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-client-console-rhel9:v4.15.14-2", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8544", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-console-rhel9:v4.15.14-2", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8544", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.15.14-2", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2024:11292", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package": "odf4/mcg-core-rhel9:v4.16.4-2", "product_name": "RHODF-4.16-RHEL-9", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2025:0082", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package": "odf4/ocs-client-console-rhel9:v4.16.5-2", "product_name": "RHODF-4.16-RHEL-9", "release_date": "2025-01-08T00:00:00Z"}, {"advisory": "RHSA-2025:0082", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package": "odf4/odf-console-rhel9:v4.16.5-2", "product_name": "RHODF-4.16-RHEL-9", "release_date": "2025-01-08T00:00:00Z"}, {"advisory": "RHSA-2025:0082", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.16.5-2", "product_name": "RHODF-4.16-RHEL-9", "release_date": "2025-01-08T00:00:00Z"}, {"advisory": "RHSA-2024:10986", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package": "odf4/mcg-core-rhel9:v4.17.1-2", "product_name": "RHODF-4.17-RHEL-9", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2025:0079", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package": "odf4/ocs-client-console-rhel9:v4.17.2-1", "product_name": "RHODF-4.17-RHEL-9", "release_date": "2025-01-08T00:00:00Z"}, {"advisory": "RHSA-2025:0079", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package": "odf4/odf-console-rhel9:v4.17.2-1", "product_name": "RHODF-4.17-RHEL-9", "release_date": "2025-01-08T00:00:00Z"}, {"advisory": "RHSA-2025:0079", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.17.2-1", "product_name": "RHODF-4.17-RHEL-9", "release_date": "2025-01-08T00:00:00Z"}, {"advisory": "RHSA-2025:2652", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.18::el9", "package": "odf4/ocs-client-console-rhel9:v4.18.0-65", "product_name": "RHODF-4.18-RHEL-9", "release_date": "2025-03-11T00:00:00Z"}, {"advisory": "RHSA-2025:2652", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.18::el9", "package": "odf4/odf-console-rhel9:v4.18.0-65", "product_name": "RHODF-4.18-RHEL-9", "release_date": "2025-03-11T00:00:00Z"}, {"advisory": "RHSA-2025:2652", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.18::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.18.0-64", "product_name": "RHODF-4.18-RHEL-9", "release_date": "2025-03-11T00:00:00Z"}, {"advisory": "RHBA-2024:11265", "cpe": "cpe:/a:redhat:rhdh:1.4::el9", "package": "registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3", "product_name": "Red Hat Developer Hub (RHDH) 1.4", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2025:3368", "cpe": "cpe:/a:redhat:openshift_ai:2.16::el8", "package": "registry.redhat.io/rhoai/odh-dashboard-rhel8:sha256:13da7e12e135cdb33c89686eca84cffae8ef691fcb4f346622ebd9b47f0a69ee", "product_name": "Red Hat OpenShift AI 2.16", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3397", "cpe": "cpe:/a:redhat:openshift_ai:2.16::el8", "package": "registry.redhat.io/rhoai/odh-dashboard-rhel8:sha256:13da7e12e135cdb33c89686eca84cffae8ef691fcb4f346622ebd9b47f0a69ee", "product_name": "Red Hat OpenShift AI 2.16", "release_date": "2025-03-31T00:00:00Z"}, {"advisory": "RHSA-2025:1448", "cpe": "cpe:/a:redhat:openshift_ai:2.17::el8", "package": "registry.redhat.io/rhoai/odh-dashboard-rhel8:sha256:e19276083d932dad46be57674cadf2757a4eeb5d1e2cc2b4ae650e0c8d2c1b02", "product_name": "Red Hat OpenShift AI 2.17", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1286", "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.1::el9", "package": "registry.redhat.io/rhtas/rekor-search-ui-rhel9:sha256:ab85e4f3fe88f7c6a376445273ce5b76c10dc805e438314fbab6d668e75ed53d", "product_name": "Red Hat Trusted Artifact Signer 1.1", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1321", "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.1::el9", "package": "registry.redhat.io/rhtas/rekor-search-ui-rhel9:sha256:39220599ff9bbcd77ca8188a9c2c2cd75aa914b623bfc5ed01b6d0c607a833b9", "product_name": "Red Hat Trusted Artifact Signer 1.1", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1842", "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.1::el9", "package": "registry.redhat.io/rhtas/rekor-search-ui-rhel9:sha256:1432b47ddd881eb1909453e939c791825e7853b4abc00a12dddd948f99022ab3", "product_name": "Red Hat Trusted Artifact Signer 1.1", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2024:11255", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:11256", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2024-12-17T00:00:00Z"}], "bugzilla": {"description": "cross-spawn: regular expression denial of service", "id": "2324550", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324550"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-1333", "details": ["Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.", "A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string."], "name": "CVE-2024-21538", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "cross-spawn", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Not affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Fix deferred", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/console-mce-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Fix deferred", "package_name": "network-observability/network-observability-console-plugin-rhel9", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Fix deferred", "package_name": "workload-availability/node-remediation-console-rhel8", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed-tech-preview/lightspeed-console-plugin-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-25/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "cross-spawn", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "cross-spawn", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Fix deferred", "package_name": "cross-spawn", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "cross-spawn", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Affected", "package_name": "rhcl-console-plugin-container", "product_name": "Red Hat Connectivity Link 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "cross-spawn", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "cross-spawn", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "cross-spawn", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "cross-spawn", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "cross-spawn", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/console-plugin-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-argocd-rhel9-container", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "cross-spawn", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "nodejs-node-sass", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "nodejs-webpack-cli", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "cross-spawn", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/fulcio-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2024-11-08T05:00:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21538\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21538\nhttps://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff\nhttps://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f\nhttps://github.com/moxystudio/node-cross-spawn/pull/160\nhttps://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"], "threat_severity": "Low"}