Bug 2004944 (CVE-2021-23440)

Summary: CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, amuller, anpicker, aos-bugs, bdettelb, bmontgom, eparis, erooth, etamir, ewolinet, extras-orphan, gghezzo, gparvin, hvyas, jburrell, jcantril, jokerman, jramanat, jwendell, mwringe, nbecker, nstielau, ocs-bugs, pahickey, periklis, ploffay, rcernich, spasquie, sponnaga, stcannon, twalsh, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: set-value 4.0.1 Doc Type: If docs needed, set a value
Doc Text:
A type confusion vulnerability in nodejs-set-value can lead to a bypass of CVE-2019-10747. If the user-provided keys used in the path parameter are arrays, the function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ payloads. This vulnerability can impact data confidentiality, integrity, and availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-08 14:50:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1999601, 2004945, 2006743, 2012071, 2012072, 2012073, 2012074, 2012075, 2012076, 2012077, 2012078, 2012079, 2012080, 2012081, 2013239, 2013240, 2013241, 2016080    
Bug Blocks: 2004947    

Description Marian Rehak 2021-09-16 13:35:03 UTC 
A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

External Reference:

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212
Comment 1 Marian Rehak 2021-09-16 13:35:18 UTC 
Created nodejs-set-value tracking bugs for this issue:

Affects: fedora-33 [bug 2004945]
Comment 2 Przemyslaw Roguski 2021-09-17 07:46:37 UTC 
Downgrading the impact to Moderate, as this not qualify for Important severity Red Hat rating.
Comment 4 Przemyslaw Roguski 2021-09-22 10:21:50 UTC 
Upstream PR and fix:
https://github.com/jonschlinkert/set-value/pull/33
https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452
Comment 14 errata-xmlrpc 2021-12-09 00:47:13 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:5038 https://access.redhat.com/errata/RHSA-2021:5038
Comment 15 errata-xmlrpc 2022-08-24 13:46:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156