Bug 2035012 (CVE-2021-23450)
Summary: | CVE-2021-23450 dojo: prototype pollution via the setObject function | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | andrew, extras-orphan, frenaud, rcritten, tscherf |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-12-22 19:47:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2035013 | ||
Bug Blocks: | 2035014 |
Description
Guilherme de Almeida Suckevicz
2021-12-22 17:42:35 UTC
Created dojo tracking bugs for this issue: Affects: epel-all [bug 2035013] RHEL 7 IPA is unaffected. While IPA does make use of Dojo, it is limited in its scope and does not use the affected setObject function. While it is possible to create a plugin / extension for ipa that could make use of the setObject function in dojo, this would require privileges that are already escalated to that of an ipa admin at minimum which would provide more control than exploitation of the flaw. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23450 |