Bug 2020365 (CVE-2021-23807)
| Summary: | CVE-2021-23807 nodejs-jsonpointer: type confusion vulnerability can lead to a bypass of a previous prototype pollution fix when the pointer components are arrays | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aos-bugs, bdettelb, bmontgom, eparis, extras-orphan, fjansen, jburrell, jcantril, kaycoth, nodejs-sig, nstielau, piotr1212, sponnaga |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A Type Confusion vulnerability was found in node-jsonpointer. This issue leads to the bypass of a previous Prototype Pollution fix when the pointer components are arrays. This flaw allows an attacker to use objects of incompatible base types, leading to remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2020366 | ||
| Bug Blocks: | 2020367 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-11-04 16:43:37 UTC
Created nodejs-jsonpointer tracking bugs for this issue: Affects: epel-7 [bug 2020366] |