Bug 1813344 (CVE-2020-7598)
| Summary: | CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, anpicker, aos-bugs, bdettelb, bmontgom, dblechte, dfediuck, eedri, eparis, erooth, ewolinet, hhorak, hvyas, jburrell, jcantril, jhadvig, jokerman, jorton, jschorr, kakkoyun, kconner, lcosic, mcooper, mgoldboi, michal.skrivanek, mloibl, nodejs-maint, nodejs-sig, nstielau, osoukup, pkrupa, rcernich, sbonazzo, sd-operator-metering, sgratch, sherold, sponnaga, surbania, talessio, tchollingsworth, tflannag, thrcka, tomckay, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | minimist 1.2.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-minimist, where it was tricked into adding or modifying properties of the Object.prototype using a "constructor" or "__proto__" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-02 17:20:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1813345, 1813346, 1813347, 1816880, 1826772, 1826773, 1826774, 1826775, 1826830, 1826831, 1826832, 1826833, 1849501, 1849502, 1849503, 1849504, 1849505, 1849506, 1849507, 1849508, 1853321, 1853322, 1853339, 1853340, 1853341 | ||
| Bug Blocks: | 1813351 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-03-13 14:57:10 UTC
Created nodejs-minimist tracking bugs for this issue: Affects: epel-6 [bug 1813346] Affects: epel-7 [bug 1813347] Affects: fedora-all [bug 1813345] ServiceMesh packages a vulnerable version of minimist as NodeJS dependencies in the following RPMs:
- kiali
- v0.0.8 and v0.0.10
- servicemesh-granfana
- v0.0.8 and v1.2.0
Statement: Red Hat Quay only includes minimist as a dependency of the test suites, and it not include it in the product. We may fix this issue in a future Red Hat Quay release. External References: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 Upstream commit for nodejs: https://github.com/nodejs/node/commit/40b559a376ae1db031132a86a76834decf6f0c2d Upstream commit for npm: https://github.com/npm/cli/commit/9c554fd8cd1e9aeb8eb122ccfa3c78d12af4097a This issue has been addressed in the following products: Openshift Service Mesh 1.0 OpenShift Service Mesh 1.0 Via RHSA-2020:2362 https://access.redhat.com/errata/RHSA-2020:2362 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7598 Upstream minimist fixes: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94 https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2847 https://access.redhat.com/errata/RHSA-2020:2847 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2849 https://access.redhat.com/errata/RHSA-2020:2849 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2848 https://access.redhat.com/errata/RHSA-2020:2848 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2852 https://access.redhat.com/errata/RHSA-2020:2852 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2895 https://access.redhat.com/errata/RHSA-2020:2895 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3042 https://access.redhat.com/errata/RHSA-2020:3042 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:3084 https://access.redhat.com/errata/RHSA-2020:3084 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2643 https://access.redhat.com/errata/RHSA-2021:2643 |