Bug 2083778 (CVE-2021-42581)

Summary: CVE-2021-42581 ramda: prototype poisoning
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, alazarot, anstephe, aoconnor, bniver, chazlett, emingora, extras-orphan, flucifre, gmeno, gparvin, grafana-maint, ibek, jkurik, jochrist, jramanat, jrokos, jross, jshaughn, jwendell, jwon, kverlaen, mbenjamin, mgoodwin, mhackett, mnovotny, nathans, njean, pahickey, pjindal, rcernich, rgodfrey, rguimara, saroy, sostapov, stcannon, vereddy, williamjmorenor
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ramda 0.27.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ramda NPM package that involves prototype poisoning. This flaw allows attackers to supply a crafted object, affecting the integrity or availability of the application.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2083780, 2083781, 2083782, 2083783, 2083784, 2084571, 2093137, 2093138    
Bug Blocks: 2083813    

Description Anten Skrabec 2022-05-10 18:31:32 UTC 
Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function.

https://github.com/ramda/ramda/pull/3192
https://jsfiddle.net/3pomzw5g/2/
Comment 1 Anten Skrabec 2022-05-10 18:38:38 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-34 [bug 2083781]
Affects: fedora-35 [bug 2083783]
Affects: fedora-all [bug 2083780]


Created mkdocs-material tracking bugs for this issue:

Affects: fedora-34 [bug 2083782]
Affects: fedora-35 [bug 2083784]
Comment 22 errata-xmlrpc 2023-06-15 15:59:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642