Bug 2060615 (CVE-2022-0841)

Summary: CVE-2022-0841 npm-lockfile: os command injection
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: epel-packagers-sig, fboucher, hhorak, jorton, ldap-maint, mpitt, mrunge, ngompa13, nodejs-maint, nodejs-sig, openstack-sig, pabelanger, sgallagh, thrcka, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: lockfile 2.0.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in npm-lockfile, where npm-lockfile v2 did not sanitize the `only` parameter before invoking sensitive command execution API with the input. This issue leads to a command injection vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-01 13:25:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2060671, 2060672, 2060673, 2060674, 2060676, 2060677, 2060678, 2060679, 2060680, 2070960    
Bug Blocks: 2060681    

Description Anten Skrabec 2022-03-03 21:35:56 UTC 
OS Command Injection in GitHub repository ljharb/npm-lockfile prior to v2.0.5.

https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8
https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1
Comment 1 Anten Skrabec 2022-03-03 23:53:12 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2060671]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-34 [bug 2060672]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-34 [bug 2060673]
Affects: fedora-35 [bug 2060678]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2060674]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-34 [bug 2060676]
Affects: fedora-35 [bug 2060679]


Created zuul tracking bugs for this issue:

Affects: fedora-34 [bug 2060677]
Affects: fedora-35 [bug 2060680]
Comment 2 Mauro Matteo Cascella 2022-04-01 12:51:05 UTC 
Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2070960]
Comment 3 Product Security DevOps Team 2022-04-01 13:25:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0841
Comment 5 Mauro Matteo Cascella 2022-04-01 14:11:28 UTC 
npm-lockfile v1 shipped in RHEL is not affected by this CVE as it doesn't include the vulnerable code (i.e., support for `only` parameter).