Bug 1795479 (CVE-2019-10747)

Summary: CVE-2019-10747 nodejs-set-value: prototype pollution in function set-value
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aos-bugs, bdettelb, bmontgom, eparis, hhorak, jburrell, jcantril, jokerman, jorton, jsmith.fedora, kaycoth, mwringe, nodejs-maint, nstielau, pladd, ploffay, sponnaga, thrcka, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-set-value 3.0.1, nodejs-set-value 2.0.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-set-value. The function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ payloads. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-11 16:09:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1795480, 1795850, 1795851, 1795852, 1795853, 1795854, 1803246, 1803247, 1803248, 1803249, 1910298, 1920692, 1921843, 1922203, 1922256    
Bug Blocks: 1795481    

Description Dhananjay Arunesh 2020-01-28 04:59:18 UTC 
A vulnerability was found in NOdejs set-value, where set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.

Reference:
https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E
Comment 1 Dhananjay Arunesh 2020-01-28 05:00:22 UTC 
Created nodejs-set-value tracking bugs for this issue:

Affects: fedora-all [bug 1795480]
Comment 3 Jason Shepherd 2020-01-29 02:27:43 UTC 
Red Hat Quay 3.2 uses nodejs-set-value 2.0.1 which has a fix for this vulnerability.
Comment 9 Cedric Buissart 2020-02-25 09:10:18 UTC 
Statement:

While OpenShift Container Platform (OCP) contains the affected nodejs-set-value code, it's added as a dependency of Kibana 5. Similar issue about prototype pollution [1] have been fixed, but no known attack vector was found, so we're rating this issue as Low for OCP. 

In Red Hat Software Collections and Red Hat Enterprise Linux 8, nodejs-set-value is bundled into nodejs-nodemon, and is not meant to be accessed outside of that package. Within nodemon, this flaw is rated with a Low severity.

[1] CVE-2019-10744 https://www.elastic.co/community/security
Comment 11 errata-xmlrpc 2021-02-11 13:35:10 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0485 https://access.redhat.com/errata/RHSA-2021:0485
Comment 12 Product Security DevOps Team 2021-02-11 16:09:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10747
Comment 13 errata-xmlrpc 2021-02-16 14:32:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0549 https://access.redhat.com/errata/RHSA-2021:0549