Bug 1672400 (CVE-2018-16491)

Summary: CVE-2018-16491 nodejs-extend: Prototype pollution in Object.prototype
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, bleanhar, cbyrne, ccoleman, cmacedo, dedgar, dffrench, drusso, eparis, hhorak, jgoulding, jmadigan, jokerman, jorton, jshepherd, mchappel, ngough, nodejs-sig, piotr1212, ppenicka, pwright, tjay, trepel, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-extend 1.1.7, nodejs-extend 2.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-05 21:56:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Laura Pardo 2019-02-04 20:55:56 UTC 
A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.


References:
https://hackerone.com/reports/430831
Comment 1 Tomas Hoger 2019-02-05 13:22:26 UTC 
Upstream commit:

2.0.x:  https://github.com/dreamerslab/node.extend/commit/7e6135a5da16a755a28ffa596e14a07bf5e0c95b
1.1.x:  https://github.com/dreamerslab/node.extend/commit/d63002dbc5ac2bc89c264a81bfb72769ec924f1b

Note that this issue was reported for the node.extend package:

https://www.npmjs.com/package/node.extend
https://github.com/dreamerslab/node.extend

What is included in various Red Hat products is extend package:

https://www.npmjs.com/package/extend
https://github.com/justmoon/node-extend
Comment 2 Laura Pardo 2019-02-05 21:56:20 UTC 
Closing this since I mistakenly confused nodejs.extend package with nodejs-extend. As noted bug 1672402, comment 1 this vulnerability is for nodejs.extend while the package we ship is nodejs-extend