Bug 1649409 (CVE-2019-5413)

Summary: CVE-2019-5413 nodejs-morgan: Unescaped input in compile() function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahardin, bleanhar, ccoleman, dedgar, eparis, jgoulding, jokerman, mchappel, tchollingsworth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-morgan 1.9.1 Doc Type: If docs needed, set a value
Doc Text:
The Node.js morgan package, before version 1.9.1, does not properly sanitize input in the compile() function, allowing for potential execution of code. This vulnerability can only be exploited by attackers with the ability to provide input to the compile() function or in combination with another prototype pollution vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:20:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1649411, 1649412, 1693096, 1693097    
Bug Blocks: 1649410    

Description Andrej Nemec 2018-11-13 15:09:48 UTC 
A code injection vulnerability was found in nodejs morgan before 1.9.1. An attacker could use the format parameter to inject arbitrary commands.

References:

https://hackerone.com/reports/390881
Comment 1 Andrej Nemec 2018-11-13 15:10:55 UTC 
Created nodejs-morgan tracking bugs for this issue:

Affects: epel-all [bug 1649412]
Affects: fedora-all [bug 1649411]
Comment 2 Sam Fowler 2019-03-27 04:38:14 UTC 
Upstream Patch:

https://github.com/expressjs/morgan/commit/e3296638
Comment 3 Sam Fowler 2019-03-27 07:40:21 UTC 
Statement:

This vulnerability affects the nodejs-morgan RPM, used by the openshift3/logging-auth-proxy container in OpenShift Container Platform versions 3.4 through 3.10. The openshift3/logging-auth-proxy container does not expose the vulnerable compile() function, hence this vulnerability can only be exploited in combination with another prototype pollution vulnerability.

Red Hat Product Security has rated this issue as having a security impact of Low. 

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/