Bug 1608140 (CVE-2018-16492)

Summary: CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, bdettelb, bleanhar, cbyrne, ccoleman, cmacedo, dedgar, dffrench, drusso, hhorak, jgoulding, jmadigan, jokerman, jorton, jshepherd, lgriffin, mchappel, ngough, piotr1212, pwright, sfowler, tomckay, trepel, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-extend 2.0.2, nodesj-extend 3.0.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:34:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1608142, 1608141, 1616060    
Bug Blocks: 1608143    

Description Sam Fowler 2018-07-25 04:17:13 UTC 
nodejs-extend before versions 2.0.2 and 3.0.2 is vulnerable to prototype pollution. Utilities function can be tricked into modifying the prototype of "Object" when the attacker control part of the structure passed to these function. This can let an attacker add or modify existing property that will exist on all object.


External Reference:

https://snyk.io/vuln/npm:extend:20180424


Upstream Patch:

https://github.com/justmoon/node-extend/commit/0e68e71d93507fcc391e398bc84abd0666b28190


Upstream Pull Request:

https://github.com/justmoon/node-extend/pull/48
Comment 1 Sam Fowler 2018-07-25 04:18:01 UTC 
Created nodejs-extend tracking bugs for this issue:

Affects: epel-7 [bug 1608142]
Affects: fedora-all [bug 1608141]
Comment 2 Pedro YĆ³ssis Silva Barbosa 2018-08-14 20:10:16 UTC 
More info about "Prototype Pollution": https://medium.com/intrinsic/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96
Comment 7 Jason Shepherd 2021-05-07 03:00:42 UTC 
Statement:

Red Hat Quay includes 'extend' as a build time dependency. It's not used at runtime reducing the impact of this vulnerability to low.
Comment 9 errata-xmlrpc 2021-10-19 12:10:11 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917