Bug 1898680 (CVE-2020-7774)
| Summary: | CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, amctagga, anpicker, aos-bugs, bdettelb, bmontgom, eparis, erooth, gghezzo, gparvin, hhorak, hvyas, jburrell, jcantril, jhadvig, jokerman, jorton, jramanat, jshaughn, jsmith.fedora, jstanek, jweiser, jwendell, kakkoyun, kconner, kmullins, lcosic, mloibl, mwringe, nodejs-maint, nodejs-sig, nstielau, periklis, pkrupa, ploffay, rcernich, sponnaga, stcannon, surbania, thee, tomckay, twalsh, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-y18n 5.0.5, nodejs-y18n 4.0.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-01 17:34:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1898681, 1898764, 1898765, 1898766, 1898767, 1898768, 1898827, 1899150, 1899151, 1899152, 1899153, 1899156, 1899989, 1901047, 1916389, 1916395, 1920157, 1920550, 1921630, 2126069, 2126070, 2126071, 2126072 | ||
| Bug Blocks: | 1898682 | ||
Created nodejs-y18n tracking bugs for this issue: Affects: fedora-all [bug 1898681] nodejs as shipped with Red Hat Enterprise Linux 8, as well as Red Hat Software Collections, ships vulnerable versions of y18n (v3.2.1, v4.0.0) in node_modules for npm and yargs. However, it does not accept untrusted input remotely that could be used to trigger the flaw. External References: https://snyk.io/vuln/SNYK-JS-Y18N-1021887 Flaw summary: There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality. Statement: In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-y18n library to authenticated users only, therefore the impact is Low. In Red Hat OpenShift Container Storage 4 the noobaa-core container includes the affected version of y18n as a dependency of yargs. However, no unsafe usage found where the module accepts untrusted input and hence this issue has been rated as having a security impact of Low. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:5305 https://access.redhat.com/errata/RHSA-2020:5305 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7774 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5499 https://access.redhat.com/errata/RHSA-2020:5499 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0421 https://access.redhat.com/errata/RHSA-2021:0421 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0551 https://access.redhat.com/errata/RHSA-2021:0551 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633 This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.7.0 on RHEL-8 Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438 |
This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true Upstream patch: https://github.com/yargs/y18n/pull/108