Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873 https://github.com/salesforce/tough-cookie/issues/282 https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
Created breeze-icon-theme tracking bugs for this issue: Affects: epel-all [bug 2220673] Affects: fedora-all [bug 2220678] Created dotnet6.0 tracking bugs for this issue: Affects: fedora-all [bug 2220679] Created dotnet7.0 tracking bugs for this issue: Affects: fedora-all [bug 2220680] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2220674] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2220675] Created seamonkey tracking bugs for this issue: Affects: epel-all [bug 2220676] Affects: fedora-all [bug 2220681] Created yarnpkg tracking bugs for this issue: Affects: epel-all [bug 2220677] Affects: fedora-all [bug 2220682]
This issue has been addressed in the following products: RHOL-5.7-RHEL-8 Via RHSA-2023:3998 https://access.redhat.com/errata/RHSA-2023:3998
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-26136
Created golang-github-prometheus tracking bugs for this issue: Affects: fedora-all [bug 2223508]
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.3 for RHEL 8 Via RHSA-2023:5421 https://access.redhat.com/errata/RHSA-2023:5421
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2023:5442 https://access.redhat.com/errata/RHSA-2023:5442
This issue has been addressed in the following products: EAP 7.4.13 Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486
This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:5541 https://access.redhat.com/errata/RHSA-2023:5541
This issue has been addressed in the following products: RHOL-5.5-RHEL-8 Via RHSA-2023:5542 https://access.redhat.com/errata/RHSA-2023:5542
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.8 Via RHSA-2023:7222 https://access.redhat.com/errata/RHSA-2023:7222
Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version of netty.