Back to bug 2219310
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| TEJ RATHI | 2023-07-03 08:20:10 UTC | CC | aazores, abobrov, adupliak, aileenc, alampare, alazarot, amctagga, andrew.slice, aoconnor, asoldano, aveerama, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, bniver, bodavis, brian.stansberry, cdewolf, chazlett, cluster-maint, darran.lofthouse, dbhole, dcadzow, dhanak, dkenigsb, dkreling, dosoudil, dsimansk, dymurray, eaguilar, ebaron, ehelms, elima, ellin, emingora, erack, eric.wittmann, fdeutsch, fjuma, flucifre, fzatlouk, gjospin, gmalinko, gmeno, gparvin, grafana-maint, gzaronik, hbraun, hhorak, ibek, ibolton, idevat, idm-ds-dev-bugs, ivassile, iweiss, janstey, jcantril, jhorak, jkang, jkoehler, jkurik, jmatthew, jmontleo, jorton, jpallich, jpavlik, jrokos, jscotka, jshaughn, jsherril, jwendell, jweng, kanderso, klember, kverlaen, lbacciot, lball, lgao, lvaleeva, lzap, matzew, mbenjamin, mhackett, mhulan, mlisik, mnovotny, mosmerov, mpitt, mpospisi, msochure, mstefank, msvehla, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nodejs-maint, nwallace, ocs-bugs, omajid, omular, orabin, oramraz, owatkins, pahickey, pantinor, pcreech, pdelbell, peholase, periklis, pjindal, pmackay, rcernich, rchan, release-test-team, rgarg, rguimara, rhuss, rjohnson, rstancel, rwagner, saroy, scorneli, scox, sfroberg, sgott, shbose, skontopo, slucidi, smaestri, smullick, sostapov, sseago, stcannon, stransky, teagle, tojeline, tom.jenkinson, tpopela, twalsh, ubhargav, vereddy, zsvetlik | |
| TEJ RATHI | 2023-07-03 08:45:15 UTC | Depends On | 2219316, 2219315, 2219314 | |
| TEJ RATHI | 2023-07-03 08:49:26 UTC | Depends On | 2219318 | |
| TEJ RATHI | 2023-07-03 08:52:22 UTC | Depends On | 2219322, 2219320, 2219321, 2219325, 2219319 | |
| TEJ RATHI | 2023-07-03 09:06:38 UTC | CC | dfreiber, jburrell, rogbas, vkumar | |
| TEJ RATHI | 2023-07-03 09:09:02 UTC | Depends On | 2219336, 2219339, 2219337, 2219338 | |
| TEJ RATHI | 2023-07-03 09:17:08 UTC | Depends On | 2219346, 2219347 | |
| TEJ RATHI | 2023-07-03 09:21:01 UTC | Blocks | 2219348 | |
| Avinash Hanwate | 2023-07-06 03:40:06 UTC | Fixed In Version | tough-cookie 4.1.3 | |
| Doc Text | A flaw was found in the tough-cookie package. The affected versions of tough-cookie package could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system. | |||
| Alias | TRIAGE-CVE-2023-26136 | CVE-2023-26136 | ||
| Summary | TRIAGE-CVE-2023-26136 tough-cookie: prototype pollution in cookie memstore | CVE-2023-26136 tough-cookie: prototype pollution in cookie memstore | ||
| Avinash Hanwate | 2023-07-06 03:43:28 UTC | Depends On | 2220677, 2220678, 2220680, 2220682, 2220673, 2220679, 2220674, 2220676, 2220675, 2220681 | |
| RaTasha Tillery-Smith | 2023-07-06 15:32:05 UTC | Doc Text | A flaw was found in the tough-cookie package. The affected versions of tough-cookie package could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system. | A flaw was found in the tough-cookie package. Affected versions of the tough-cookie package could allow a remote attacker to execute arbitrary code on the system caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. An attacker can execute arbitrary code on the system by adding or modifying properties of Object.prototype using a __proto__ or constructor payload. |
| Red Hat Bugzilla | 2023-07-07 08:29:09 UTC | Assignee | security-response-team | nobody |
| errata-xmlrpc | 2023-07-12 17:58:15 UTC | Link ID | Red Hat Product Errata RHSA-2023:3998 | |
| Product Security DevOps Team | 2023-07-12 22:50:46 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2023-07-12 22:50:46 UTC | |||
| Avinash Hanwate | 2023-07-18 05:27:29 UTC | Depends On | 2223508 | |
| Anten Skrabec | 2023-07-18 20:54:55 UTC | Doc Text | A flaw was found in the tough-cookie package. Affected versions of the tough-cookie package could allow a remote attacker to execute arbitrary code on the system caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. An attacker can execute arbitrary code on the system by adding or modifying properties of Object.prototype using a __proto__ or constructor payload. | A flaw was found in the tough-cookie package. Affected versions of the tough-cookie package could allow a remote attacker to execute arbitrary code on the system caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. An attacker may be able to execute arbitrary code on the system by adding or modifying properties of Object.prototype using a __proto__ or constructor payload. |
| Resolution | ERRATA | --- | ||
| Status | CLOSED | NEW | ||
| Keywords | Reopened | |||
| Anten Skrabec | 2023-07-18 20:55:24 UTC | Doc Text | A flaw was found in the tough-cookie package. Affected versions of the tough-cookie package could allow a remote attacker to execute arbitrary code on the system caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. An attacker may be able to execute arbitrary code on the system by adding or modifying properties of Object.prototype using a __proto__ or constructor payload. | A flaw was found in the tough-cookie package. Affected versions of the tough-cookie package could allow a remote attacker to execute arbitrary code on the system caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. |
| Red Hat Bugzilla | 2023-07-21 22:26:27 UTC | CC | jpavlik | |
| Red Hat Bugzilla | 2023-08-03 08:29:00 UTC | CC | ocs-bugs |
Back to bug 2219310