Bug 1999810 (CVE-2021-23434)

Summary: CVE-2021-23434 object-path: Type confusion vulnerability can lead to a bypass of CVE-2020-15256
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akoufoud, alazarot, almorale, amuller, anpicker, anstephe, aos-bugs, bmontgom, chazlett, eparis, erooth, etirelli, gghezzo, gparvin, ibek, jburrell, jnakfour, jochrist, jokerman, jramanat, jrokos, jross, jstastny, jwendell, jwon, kconner, krathod, kverlaen, lmadsen, mburns, mgarciac, mnovotny, mrunge, nstielau, pahickey, pjindal, rcernich, rfreiman, rgodfrey, rrajasek, spasquie, sponnaga, stcannon, twalsh, tzimanyi, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: object-path 0.11.6 Doc Type: If docs needed, set a value
Doc Text:
Prototype pollution has been discovered in object-path NodeJS library. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-15 02:08:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1999365, 2000304, 2000305, 2006405, 2006406, 2006872, 2006873, 2006874, 2006875, 2006876, 2006877, 2006878, 2006879, 2006880, 2006881, 2006891, 2006892, 2006893, 2006894, 2006895, 2006896    
Bug Blocks: 1999811    

Description Pedro Sampaio 2021-08-31 18:21:35 UTC 
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

References:

https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb
https://github.com/mariocasciaro/object-path%230116
https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423
Comment 7 errata-xmlrpc 2021-10-14 22:38:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:3873 https://access.redhat.com/errata/RHSA-2021:3873
Comment 8 Product Security DevOps Team 2021-10-15 02:08:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23434
Comment 10 errata-xmlrpc 2022-03-14 13:56:43 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2022:0856 https://access.redhat.com/errata/RHSA-2022:0856