Bug 2040862 (CVE-2022-21824)

Summary: CVE-2022-21824 nodejs: Prototype pollution via console.table properties
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abenaiss, amctagga, aos-bugs, bdettelb, caswilli, dkuc, fjansen, hhorak, hvyas, jburrell, jorton, jwong, kaycoth, micjohns, mrunge, nodejs-maint, nodejs-sig, pbhattac, rfreiman, sgallagh, spandura, sthirugn, thrcka, vkumar, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: node 12.22.9, node 14.18.3, node 16.13.2, node 17.3.1 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-06 13:17:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2040863, 2040864, 2040865, 2040866, 2040867, 2042990, 2042991, 2042992, 2042993, 2042994, 2042995, 2046354, 2046369, 2052252, 2086813, 2086814, 2086815, 2086816, 2087169, 2132711, 2132712, 2150320, 2150321    
Bug Blocks: 2040868    

Description Guilherme de Almeida Suckevicz 2022-01-14 19:46:18 UTC 
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

Reference:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Comment 1 Guilherme de Almeida Suckevicz 2022-01-14 19:46:53 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2040867]
Affects: fedora-all [bug 2040863]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040864]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040865]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040866]
Comment 2 Cedric Buissart 2022-01-20 12:57:50 UTC 
Upstream fix :
https://github.com/nodejs/node/commit/3454e797137b1706b11ff2f6f7fb60263b39396b
Comment 4 Cedric Buissart 2022-01-24 10:10:28 UTC 
Hacker One report :
https://hackerone.com/reports/1431042
Comment 8 errata-xmlrpc 2022-06-06 09:27:19 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914
Comment 9 Product Security DevOps Team 2022-06-06 13:17:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21824
Comment 11 errata-xmlrpc 2022-10-19 10:10:06 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044
Comment 12 errata-xmlrpc 2022-11-08 11:33:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830
Comment 13 errata-xmlrpc 2022-12-15 16:16:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073
Comment 14 errata-xmlrpc 2023-04-12 14:58:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Comment 15 errata-xmlrpc 2023-06-22 19:51:38 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742