Bug 2080845 (CVE-2022-22143)

Summary: CVE-2022-22143 convict: Prototype Pollution in convict
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: convict 6.2.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in convict. This flaw allows an attacker to inject attributes used in other components and override existing attributes with ones that have an incompatible type, leading to a crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-08 23:33:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2080846    

Description Avinash Hanwate 2022-05-02 07:04:40 UTC 
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)

https://snyk.io/vuln/SNYK-JS-CONVICT-2340604
https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569
https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880
Comment 2 Product Security DevOps Team 2022-12-08 23:32:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22143