Bug 2150323 (CVE-2022-24999)
| Summary: | CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, aileenc, alazarot, andrew.slice, aoconnor, asoldano, balejosg, bbaranow, bbuckingham, bcoca, bcourt, bdettelb, bmaxwell, bniver, bodavis, brian.stansberry, btotty, caswilli, cdewolf, chazlett, cwelton, darran.lofthouse, davidn, dbhole, dcadzow, dffrench, dhalasz, dkenigsb, dkreling, dkuc, dosoudil, dymurray, ehelms, ellin, emartyny, emingora, epacific, eric.wittmann, etamir, fdeutsch, fjansen, fjuma, flucifre, gjospin, gmalinko, gmeno, gparvin, gzaronik, hhorak, hkataria, ibek, ibolton, idm-ds-dev-bugs, ivassile, iweiss, janstey, jburrell, jcammara, jcantril, jhardy, jkoehler, jmatthew, jmontleo, jneedle, jobarker, jorton, jpavlik, jrokos, jshaughn, jsherril, jstanek, jstastny, jwendell, jwong, jwon, kanderso, kaycoth, kshier, kverlaen, lgao, lvaleeva, lzap, mabashia, mbenjamin, mhackett, mhulan, micjohns, mnovotny, mosmerov, msochure, msvehla, myarboro, nbecker, nboldt, ngough, njean, nmoumoul, nodejs-maint, nwallace, ocs-bugs, omajid, orabin, oramraz, osapryki, oskutka, ovanders, owatkins, pahickey, pantinor, pcreech, pdelbell, peholase, periklis, pjindal, pmackay, psegedy, rcernich, rchan, rgarg, rgodfrey, rguimara, rrajasek, rstancel, rwagner, saroy, scorneli, sfowler, shbose, simaishi, slucidi, smaestri, smcdonal, smullick, sostapov, sseago, stcannon, sthirugn, teagle, tfister, tkasparek, tom.jenkinson, tsasak, twalsh, ubhargav, vereddy, vkrizan, vkumar, vmugicag, yguenane, zsadeh, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | qs 4.17.3, qs 6.9.7, qs 6.8.3, qs 6.7.3, qs 6.6.1, qs 6.5.3, qs 6.4.1, qs 6.3.3, qs 6.2.4, qs 6.10.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-11 08:32:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2151097, 2151098, 2151099, 2151100, 2151101, 2152497, 2150401, 2150805, 2150806, 2150807, 2151102, 2151103, 2151142, 2151143, 2151144, 2151260, 2152233, 2152235, 2152236, 2152238, 2152239, 2152240, 2152661, 2152662, 2152663, 2154454, 2154838, 2154839 | ||
| Bug Blocks: | 2148828 | ||
|
Description
Borja Tarraso
2022-12-02 14:05:34 UTC
Created breeze-icon-theme tracking bugs for this issue: Affects: epel-8 [bug 2151099] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2151097] Created nodejs-qs tracking bugs for this issue: Affects: fedora-all [bug 2151103] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2151100] Created qpid-dispatch tracking bugs for this issue: Affects: epel-7 [bug 2151098] Affects: epel-8 [bug 2151101] Created seamonkey tracking bugs for this issue: Affects: epel-8 [bug 2151102] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24999 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2023:0794 https://access.redhat.com/errata/RHSA-2023:0794 This issue has been addressed in the following products: MTA-6.0-RHEL-8 Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934 This issue has been addressed in the following products: RHOL-5.5-RHEL-8 Via RHSA-2023:0930 https://access.redhat.com/errata/RHSA-2023:0930 This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:0932 https://access.redhat.com/errata/RHSA-2023:0932 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742 This issue has been addressed in the following products: RHODF-4.12-RHEL-8 Via RHSA-2023:3265 https://access.redhat.com/errata/RHSA-2023:3265 This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.2 for RHEL 8 Via RHSA-2023:3645 https://access.redhat.com/errata/RHSA-2023:3645 |