Bug 2024702 (CVE-2021-3918)

Summary: CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adsoni, amctagga, amuller, anpicker, aos-bugs, avibelli, bdettelb, bgeorges, bmontgom, caswilli, cbuissar, chazlett, dkreling, dkuc, eparis, erooth, fjansen, gghezzo, gparvin, hhorak, jburrell, jcantril, jorton, jpallich, jramanat, jshaughn, jwendell, jwong, jwon, kaycoth, krathod, lthon, mrunge, mszynkie, mwringe, nodejs-maint, nodejs-sig, nstielau, pahickey, peholase, periklis, pgallagh, ploffay, psegedy, rcernich, rfreiman, rruss, sgallagh, spasquie, sponnaga, stcannon, tcarlin, thrcka, twalsh, vkumar, vmugicag, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-json-schema 0.4.0, node 16.11.0, npm 8.1.0 Doc Type: If docs needed, set a value
Doc Text:
The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-09 04:30:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2024863, 2024890, 2024895, 2024896, 2024897, 2024918, 2024919, 2024920, 2024921, 2024922, 2025510, 2025511, 2025512, 2025513, 2025659, 2025660, 2025661, 2026033, 2026034, 2026035, 2026036, 2026037, 2026038, 2026039, 2026040, 2026041, 2026042, 2026043, 2026044, 2027633, 2027634, 2027635, 2031774, 2033028, 2045877, 2053657, 2053658, 2053660, 2086795, 2086796, 2086797, 2086798, 2087165, 2175235    
Bug Blocks: 2024703    

Description Guilherme de Almeida Suckevicz 2021-11-18 17:32:07 UTC 
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

Reference:
https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9
Comment 2 Cedric Buissart 2021-11-19 09:48:12 UTC 
Upstream patches:
https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
Comment 4 Cedric Buissart 2021-11-19 10:19:21 UTC 
Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2024863]
Comment 7 Cedric Buissart 2021-11-19 13:03:17 UTC 
Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2024895]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2024896]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2024897]
Comment 17 errata-xmlrpc 2021-12-15 19:28:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171
Comment 18 errata-xmlrpc 2022-01-06 18:40:09 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0041 https://access.redhat.com/errata/RHSA-2022:0041
Comment 20 Aditya Soni 2022-01-21 03:55:44 UTC 
*** Bug 2039650 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2022-01-25 09:24:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246
Comment 22 errata-xmlrpc 2022-02-01 21:14:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350
Comment 24 errata-xmlrpc 2022-02-22 21:58:01 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:0595 https://access.redhat.com/errata/RHSA-2022:0595
Comment 25 errata-xmlrpc 2022-03-03 06:58:04 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735
Comment 26 errata-xmlrpc 2022-06-06 09:27:01 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914
Comment 27 errata-xmlrpc 2022-06-09 02:06:03 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 28 Product Security DevOps Team 2022-06-09 04:30:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3918
Comment 29 errata-xmlrpc 2022-10-19 12:56:00 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.6

Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055