Bug 1906853 (CVE-2020-7789)
| Summary: | CVE-2020-7789 nodejs-node-notifier: command injection due to the options params not being sanitised when being passed an array | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, anpicker, aos-bugs, bcoca, bmontgom, chousekn, cmeyers, davidn, eparis, erooth, gblomqui, gghezzo, gparvin, jburrell, jcammara, jhadvig, jhardy, jobarker, jokerman, jramanat, jweiser, jwendell, kakkoyun, kaycoth, kconner, lcosic, mabashia, notting, nstielau, osapryki, pkrupa, rcernich, relrod, rpetrell, sadams, sdoran, smcdonal, sponnaga, stcannon, surbania, thee, tkuratom, twalsh, znemecko |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://issues.redhat.com/browse/POL-408 https://issues.redhat.com/browse/MIGENG-884 |
||
| Whiteboard: | |||
| Fixed In Version: | nodejs-node-notifier 9.0.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in node-notifier. An attacker can run arbitrary commands on Linux machines due to the options params not being sanitized when being passed an array.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-09 21:05:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1907260, 1907856, 1907857, 1907858, 1907859, 1907860, 1907861, 1907886, 1907887, 1935677 | ||
| Bug Blocks: | 1906855 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-12-11 14:53:50 UTC
Introduced in 97301ed8 which was included in release 5.0.1. Prior versions should be unaffected (but check the escapeFn() definition - it changed a few times prior). Upstream commit: https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a External References: https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794 Upstream fix for our services using notifier https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a Statement: Whilst the OpenShift ServiceMesh (OSSM) and OpenShift Container Platform (OCP) containers include the vulnerable nodejs-node-notifier library, the successful exploitation requires additional packages on the node (like desktop notification library) which are not part of the OpenShift ServiceMesh or OpenShift Container Platform products. Additionally access to the vulnerable nodejs-node-notifier library is restricted to authenticated users only (OpenShift OAuth authentication). Therefore these OSSM and OCP components have been marked as wont-fix and may be addressed in a future updates. OpenShift ServiceMesh (OSSM) 1.1 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope. The nodejs-notifier library was present in Red Hat Advanced Cluster Management for Kubernetes version 2.0, but is no longer used since version 2.1. Customers are advised to upgrade to the latest version which is fully supported, does not include this vulnerability. This issue has been addressed in the following products: Red Hat Automation Hub 4.2 for RHEL 7 Red Hat Automation Hub 4.2 for RHEL 8 Via RHSA-2021:0781 https://access.redhat.com/errata/RHSA-2021:0781 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7789 |