Bug 1795479 (CVE-2019-10747)
Summary: | CVE-2019-10747 nodejs-set-value: prototype pollution in function set-value | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aos-bugs, bdettelb, bmontgom, eparis, hhorak, jburrell, jcantril, jokerman, jorton, jsmith.fedora, kaycoth, mwringe, nodejs-maint, nstielau, pladd, ploffay, sponnaga, thrcka, tomckay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nodejs-set-value 3.0.1, nodejs-set-value 2.0.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in nodejs-set-value. The function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ payloads. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-11 16:09:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1795480, 1795850, 1795851, 1795852, 1795853, 1795854, 1803246, 1803247, 1803248, 1803249, 1910298, 1920692, 1921843, 1922203, 1922256 | ||
Bug Blocks: | 1795481 |
Description
Dhananjay Arunesh
2020-01-28 04:59:18 UTC
Created nodejs-set-value tracking bugs for this issue: Affects: fedora-all [bug 1795480] Red Hat Quay 3.2 uses nodejs-set-value 2.0.1 which has a fix for this vulnerability. Statement: While OpenShift Container Platform (OCP) contains the affected nodejs-set-value code, it's added as a dependency of Kibana 5. Similar issue about prototype pollution [1] have been fixed, but no known attack vector was found, so we're rating this issue as Low for OCP. In Red Hat Software Collections and Red Hat Enterprise Linux 8, nodejs-set-value is bundled into nodejs-nodemon, and is not meant to be accessed outside of that package. Within nodemon, this flaw is rated with a Low severity. [1] CVE-2019-10744 https://www.elastic.co/community/security This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0485 https://access.redhat.com/errata/RHSA-2021:0485 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10747 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0549 https://access.redhat.com/errata/RHSA-2021:0549 |