CVE-2024-21538 Affecting renovate package, versions <39.22.0-r0
Threat Intelligence
EPSS
0.05% (17th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CHAINGUARDLATEST-RENOVATE-8400202
- published 20 Nov 2024
- disclosed 8 Nov 2024
How to fix?
Upgrade Chainguard renovate to version 39.22.0-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream renovate package and not the renovate package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
References
- https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff
- https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
- https://github.com/moxystudio/node-cross-spawn/pull/160
- https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349