Bug 1857977 (CVE-2020-15366)

Summary: CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alegrand, anpicker, aos-bugs, apattich, bcoca, bdettelb, bmontgom, chousekn, cmeyers, cnv-qe-bugs, davidn, eparis, erooth, fdeutsch, gblomqui, gparvin, hhorak, jburrell, jcammara, jhadvig, jhardy, jobarker, jokerman, jorton, jramanat, jweiser, kakkoyun, kconner, lcosic, mabashia, mloibl, nodejs-maint, notting, nstielau, osapryki, pkrupa, rcernich, relrod, rpetrell, sdoran, smcdonal, sponnaga, stcannon, surbania, tfister, thee, tjelinek, tkasparek, tkuratom, tomckay, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-ajv 6.12.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-ajv. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 20:21:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1859404, 1861552, 1861553, 1861554, 1861555, 1861601, 1861602, 1861603, 1861604, 1861632, 1861633, 1861634, 1862095, 1893183, 1893184, 1901044, 1916689, 1916690, 1917857, 1917864, 1935676    
Bug Blocks: 1857978    

Description Guilherme de Almeida Suckevicz 2020-07-16 19:43:33 UTC 
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

References:
https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
https://hackerone.com/bugs?subject=user&report_id=894259
Comment 4 Jason Shepherd 2020-07-28 00:47:54 UTC 
Upstream Commit:

https://github.com/ajv-validator/ajv/commit/988982d3fde08e3ea074e8942442834e78c45587
Comment 6 Mark Cooper 2020-07-28 23:49:23 UTC 
External References:

https://snyk.io/vuln/SNYK-JS-AJV-584908
Comment 7 Mark Cooper 2020-07-28 23:59:09 UTC 
Statement:

In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-ajv library to authenticated users only, therefore the impact is low.
Comment 14 Vít Ondruch 2020-10-27 09:05:31 UTC 
Just FTR, this is not addressed in any stable Node.js  upstream release AFAIK:

https://github.com/nodejs/node/blob/v10.x/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
https://github.com/nodejs/node/blob/v12.x/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
https://github.com/nodejs/node/blob/v14.x/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
Comment 15 errata-xmlrpc 2020-10-27 16:25:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
Comment 16 Product Security DevOps Team 2020-10-27 20:21:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15366
Comment 19 errata-xmlrpc 2020-12-01 14:47:17 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5305 https://access.redhat.com/errata/RHSA-2020:5305
Comment 20 errata-xmlrpc 2020-12-15 17:09:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5499 https://access.redhat.com/errata/RHSA-2020:5499
Comment 21 errata-xmlrpc 2021-02-04 17:18:03 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0421 https://access.redhat.com/errata/RHSA-2021:0421
Comment 22 errata-xmlrpc 2021-02-15 18:26:17 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521
Comment 23 errata-xmlrpc 2021-02-16 14:31:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548
Comment 24 errata-xmlrpc 2021-02-16 14:33:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0551 https://access.redhat.com/errata/RHSA-2021:0551
Comment 26 errata-xmlrpc 2021-03-09 15:14:41 UTC 
This issue has been addressed in the following products:

  Red Hat Automation Hub 4.2 for RHEL 7
  Red Hat Automation Hub 4.2 for RHEL 8

Via RHSA-2021:0781 https://access.redhat.com/errata/RHSA-2021:0781
Comment 27 errata-xmlrpc 2021-10-19 12:10:18 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917