Bug 2024702 (CVE-2021-3918)
Summary: | CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | adsoni, amctagga, amuller, anpicker, aos-bugs, avibelli, bdettelb, bgeorges, bmontgom, caswilli, cbuissar, chazlett, dkreling, dkuc, eparis, erooth, fjansen, gghezzo, gparvin, hhorak, jburrell, jcantril, jorton, jpallich, jramanat, jshaughn, jwendell, jwong, jwon, kaycoth, krathod, lthon, mrunge, mszynkie, mwringe, nodejs-maint, nodejs-sig, nstielau, pahickey, peholase, periklis, pgallagh, ploffay, psegedy, rcernich, rfreiman, rruss, sgallagh, spasquie, sponnaga, stcannon, tcarlin, thrcka, twalsh, vkumar, vmugicag, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nodejs-json-schema 0.4.0, node 16.11.0, npm 8.1.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-06-09 04:30:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2024863, 2024890, 2024895, 2024896, 2024897, 2024918, 2024919, 2024920, 2024921, 2024922, 2025510, 2025511, 2025512, 2025513, 2025659, 2025660, 2025661, 2026033, 2026034, 2026035, 2026036, 2026037, 2026038, 2026039, 2026040, 2026041, 2026042, 2026043, 2026044, 2027633, 2027634, 2027635, 2031774, 2033028, 2045877, 2053657, 2053658, 2053660, 2086795, 2086796, 2086797, 2086798, 2087165, 2175235 | ||
Bug Blocks: | 2024703 |
Description
Guilherme de Almeida Suckevicz
2021-11-18 17:32:07 UTC
Upstream patches: https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2024863] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2024895] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2024896] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2024897] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0041 https://access.redhat.com/errata/RHSA-2022:0041 *** Bug 2039650 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:0595 https://access.redhat.com/errata/RHSA-2022:0595 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3918 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.6 Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055 |