Bug 1813309 (CVE-2019-10768)

Summary: CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anpicker, anstephe, apevec, ataylor, bdettelb, bmontgom, chazlett, drieden, eglynn, emingora, eparis, erooth, etirelli, ggaughan, gmalinko, ibek, janstey, jburrell, jjoyce, jochrist, jokerman, jrokos, jross, jstastny, jwon, krathod, kverlaen, lcosic, lhh, mburns, mgarciac, mnovotny, nstielau, pjindal, rcernich, rguimara, rhos-maint, rrajasek, sponnaga, spower, surbania, tomckay, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: angularjs 1.7.9 Doc Type: If docs needed, set a value
Doc Text:
A prototype pollution vulnerability was found in AngularJS. A remote attacker could abuse this flaw by providing malicious input to the merge() function by overriding or adding properties of the Object.prototype, allowing possible injection of code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 01:29:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1958829, 1958830, 1958831, 1848734, 1848735, 2112524, 2112525, 2129242    
Bug Blocks: 1813366    

Description Michael Kaplan 2020-03-13 14:05:33 UTC 
In AngularJS merge() function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

External Reference:

https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3
Comment 5 Jason Shepherd 2020-06-18 20:35:55 UTC 
Statement:

Whilst servicemesh-grafana, and grafana-container both include a vulnerable version of angular.js (v1.6.6) the impact is lowered due to Grafana not directly implementing the angular.merge function.
Comment 18 Lon Hohberger 2022-08-19 18:49:23 UTC 
This also affects Fedora, as far as I can tell. I issued a PR here: https://src.fedoraproject.org/rpms/python-XStatic-Angular/pull-request/1
Comment 20 errata-xmlrpc 2022-12-07 19:25:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:8849 https://access.redhat.com/errata/RHSA-2022:8849
Comment 21 errata-xmlrpc 2022-12-07 20:26:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8866 https://access.redhat.com/errata/RHSA-2022:8866
Comment 22 errata-xmlrpc 2023-01-25 12:29:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.0

Via RHSA-2023:0274 https://access.redhat.com/errata/RHSA-2023:0274