Bug 1959721 (CVE-2019-20149)
| Summary: | CVE-2019-20149 nodejs-kind-of: ctorName in index.js allows external user input to overwrite certain internal attributes | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, amctagga, anharris, anpicker, aos-bugs, aturgema, bcoca, bdettelb, bmontgom, bniver, chousekn, cmeyers, davidn, dblechte, dfediuck, eedri, eparis, erooth, extras-orphan, flucifre, gblomqui, gghezzo, gmeno, gparvin, hhorak, hvyas, jburrell, jcammara, jcantril, jhardy, jobarker, jokerman, jorton, jramanat, jsmith.fedora, jweiser, jwendell, kakkoyun, kaycoth, kconner, lcosic, mabashia, mbenjamin, mgoldboi, mhackett, michal.skrivanek, mwringe, nodejs-maint, nodejs-sig, notting, nstielau, osapryki, ploffay, rcernich, relrod, rpetrell, sbonazzo, sdoran, sgratch, sherold, smcdonal, sostapov, spasquie, sponnaga, stcannon, surbania, thee, thrcka, tkuratom, tomckay, twalsh, vereddy, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kind-of 6.0.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-kind-of. An external user is allowed input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-09-08 02:33:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1959722, 1960168, 1960615, 1960755, 1961950, 1961951, 1961952, 1961953, 1961954, 1961955, 1961956, 1961957, 1967358, 1971397, 1971398, 1971399, 1971494, 1971495, 1971497, 2126172, 2126173 | ||
| Bug Blocks: | 1959723 | ||
Created nodejs-kind-of tracking bugs for this issue: Affects: fedora-all [bug 1959722] Versions of `kind-of` 6.x prior to 6.0.3 are vulnerable. Analysis is complete for AAP components and as a result, I found that though its uses the vulnerable version of nodeJS kind-of lib, none of the components seem to be using the ctorName functionality in index.js or kind-of / kindOf functionality for type checking. Hence, lowering the severity from medium to low. This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Via RHSA-2021:3454 https://access.redhat.com/errata/RHSA-2021:3454 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20149 |
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result. References: https://security-tracker.debian.org/tracker/CVE-2019-20149 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20149 https://github.com/jonschlinkert/kind-of/issues/30 https://github.com/jonschlinkert/kind-of/pull/31