Bug 1840004 (CVE-2020-7608)

Summary: CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bdettelb, gparvin, hhorak, hvyas, jorton, jramanat, jsmith.fedora, jweiser, nodejs-maint, stcannon, tfister, thee, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: yargs-parser 13.1.2, yargs-parser 15.0.1, yargs-parser 18.1.1, node 10.23.0, node 12.19.0, node 14.9.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in nodesjs-yargs-parser, where it can be tricked into adding or modifying properties of the Object.prototype using a "__proto__" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-27 14:41:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1840005, 1840029, 1841838, 1841839, 1841840, 1841841, 1898767, 1911818, 1917859, 1917862, 1920162    
Bug Blocks: 1840007    

Description Dhananjay Arunesh 2020-05-26 08:31:59 UTC 
A vulnerability was found in yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.

Reference:
https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
Comment 1 Dhananjay Arunesh 2020-05-26 08:32:37 UTC 
Created nodejs-yargs-parser tracking bugs for this issue:

Affects: fedora-all [bug 1840005]
Comment 3 Stefan Cornelius 2020-05-29 15:37:56 UTC 
Patch:
https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2
Comment 9 Product Security DevOps Team 2021-01-27 14:41:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7608
Comment 10 errata-xmlrpc 2021-02-15 18:26:11 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521
Comment 11 errata-xmlrpc 2021-02-16 14:31:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548
Comment 14 errata-xmlrpc 2021-05-19 09:14:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
Comment 16 errata-xmlrpc 2021-10-19 12:10:13 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917