Bug 1912463 (CVE-2020-28282)

Summary: CVE-2020-28282 nodejs-getobject: Prototype pollution could result in DoS and RCE
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: extras-orphan, jwendell, kconner, mcooper, nodejs-sig, rcernich, tchollingsworth, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-getobject. The `set()` function does not check for the type of object before assigning value to the property allowing an attacker to create a non-existent property or allow the manipulation of the property which could lead to a denial of service or a remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-07 18:27:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1912483, 1912484    
Bug Blocks: 1912486    

Description Michael Kaplan 2021-01-04 14:45:57 UTC 
Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

External References:

https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282
Comment 1 Michael Kaplan 2021-01-04 15:07:46 UTC 
Created nodejs-getobject tracking bugs for this issue:

Affects: epel-7 [bug 1912484]
Affects: fedora-32 [bug 1912483]
Comment 2 Przemyslaw Roguski 2021-01-05 13:50:14 UTC 
Statement:

In OpenShift ServiceMesh (OSSM) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-getobject library to authenticated users only, therefore the impact is Low. OpenShift ServiceMesh (OSSM) 1.1 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.
Comment 5 Product Security DevOps Team 2021-01-07 18:27:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28282