Bug 1844228 (CVE-2020-7660)

Summary: CVE-2020-7660 npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alegrand, anpicker, bdettelb, bmontgom, eparis, erooth, fdeutsch, gparvin, jburrell, jcantril, jokerman, jramanat, jschorr, jweiser, kakkoyun, kaycoth, kconner, lcosic, mloibl, mwringe, nstielau, periklis, pkrupa, ploffay, rcernich, sisharma, sponnaga, stcannon, surbania, tfister, thee, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: serialize-javascript-3.1.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the serialize-javascript before version 3.1.0. This flaw allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js."
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-01 19:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1844345, 1845006, 1845407, 1845450, 1846446, 1846447, 1846448, 1846449, 1910271    
Bug Blocks: 1844230    

Description Guilherme de Almeida Suckevicz 2020-06-04 19:57:44 UTC 
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Reference:
https://github.com/yahoo/serialize-javascript/pull/79

Upstream commit:
https://github.com/yahoo/serialize-javascript/commit/f21a6fb3ace2353413761e79717b2d210ba6ccbd
Comment 11 Mark Cooper 2020-06-09 07:36:04 UTC 
In both OpenShift 4.x containers, openshift4/ose-prometheus and openshift4/ose-grafana, an affected version of serialize-javascript is included (v1.9.1).
Comment 17 errata-xmlrpc 2020-07-01 18:46:02 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
Comment 18 Product Security DevOps Team 2020-07-01 19:27:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7660
Comment 19 errata-xmlrpc 2020-07-07 19:33:39 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861
Comment 22 Jason Shepherd 2021-05-03 23:37:39 UTC 
Statement:

Red Hat Quay includes serialize-javascript as a dependency of webpack which is only used at build time. The vulnerable library is not used at runtime meaning this has a low impact on Red Hat Quay.

The currently supported versions of Container Native Virtualization 2 are not affected by this flaw. However, version 2.0, which is no longer supported, is affected.