Bug 1907444 (CVE-2020-7788)
| Summary: | CVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI file | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdettelb, extras-orphan, hhorak, jorton, kaycoth, kmullins, mpoole, nodejs-maint, nodejs-sig, tchollingsworth, thrcka, tomckay, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://issues.redhat.com/browse/MIGENG-883 | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-ini 1.3.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-ini. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-04 20:42:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1907445, 1907446, 1907526, 1912634, 1912635, 1912636, 1912637, 1912638, 1912639, 1914783, 1914784, 1914785, 1914913, 1914914, 1914915, 1924699, 1924700, 1991321, 1991322, 1991323, 1991324, 1993962, 1993965, 2005419, 2027630, 2027631, 2027632, 2073156, 2124230 | ||
| Bug Blocks: | 1907447 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-12-14 14:28:32 UTC
Created nodejs-ini tracking bugs for this issue: Affects: epel-7 [bug 1907446] Affects: fedora-32 [bug 1907445] Statement: Node.JS packages in Red Hat Enterprise Linux and Red Hat Software Collections included the vulnerable dependency packaged in "nodejs-npm" component. Processing malicious files using npm could potentially trigger this vulnerability. The "ini" package bundled with npm was not in the library path where it could be included directly in other programs. The ini package is included in Red Hat Quay by protractor and webpack-cli, both of which are dev dependencies. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0421 https://access.redhat.com/errata/RHSA-2021:0421 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7788 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0485 https://access.redhat.com/errata/RHSA-2021:0485 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0549 https://access.redhat.com/errata/RHSA-2021:0549 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0551 https://access.redhat.com/errata/RHSA-2021:0551 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595 |