Bug 2156263 (CVE-2022-46175)

Summary: CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, agerstmayr, aileenc, alazarot, ansasaki, asoldano, balejosg, bbaranow, bbuckingham, bcoca, bcourt, bdettelb, bmaxwell, boliveir, brian.stansberry, btotty, cdewolf, chazlett, cluster-maint, darran.lofthouse, davidn, dcadzow, dfreiber, dkenigsb, dkreling, dosoudil, dueno, dymurray, ehelms, ellin, emingora, epacific, fdeutsch, fjuma, fmongiar, fmuellner, fzatlouk, gjospin, gmalinko, gparvin, grafana-maint, gzaronik, ibek, ibolton, idevat, idm-ds-dev-bugs, ivassile, iweiss, janstey, jburrell, jcammara, jcantril, jhardy, jhorak, jkurik, jmatthew, jmontleo, jneedle, jnethert, jobarker, jpavlik, jpoth, jrokos, jshaughn, jsherril, jstastny, jwendell, jwon, klember, kshier, kverlaen, lgao, lzap, mabashia, manisandro, mhulan, mlisik, mnovotny, mokumar, mosmerov, mpeters, mpitt, mpospisi, msochure, msvehla, mwringe, myarboro, nathans, nboldt, njean, nmoumoul, nwallace, ocs-bugs, omular, orabin, oramraz, osapryki, oskutka, owatkins, pahickey, pcreech, pdelbell, pdrozd, peholase, periklis, pjindal, pmackay, pskopek, rcernich, rchan, rgarg, rguimara, rogbas, rrajasek, rstancel, scorneli, scorreia, scox, sfowler, shbose, simaishi, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, sthorger, stransky, tcunning, teagle, tfister, tojeline, tom.jenkinson, twalsh, ubhargav, vkumar, yfang, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: json5 2.2.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-12 14:39:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2162371, 2156463, 2156464, 2156465, 2156466, 2156467, 2156468, 2156469, 2156470, 2156471, 2156476, 2156477, 2156478, 2156479, 2156480, 2156481, 2162370, 2162372, 2162373, 2162374, 2162375, 2162376, 2162377, 2162378, 2162379, 2162380, 2162381, 2162382, 2162383, 2162384, 2162385, 2162386, 2162387, 2162388, 2162389, 2162390, 2162391, 2162392, 2162393, 2162394, 2162395, 2162396, 2162397, 2162398, 2162399    
Bug Blocks: 2156264    

Description Avinash Hanwate 2022-12-26 04:44:25 UTC 
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 version 2.2.2 and later.

https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
https://github.com/json5/json5/issues/199
https://github.com/json5/json5/issues/295
Comment 12 Avinash Hanwate 2023-01-19 13:23:19 UTC 
Created cockatrice tracking bugs for this issue:

Affects: fedora-36 [bug 2162374]


Created fawkes tracking bugs for this issue:

Affects: fedora-36 [bug 2162375]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-36 [bug 2162376]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-36 [bug 2162377]


Created golang-github-flynn-json5 tracking bugs for this issue:

Affects: fedora-36 [bug 2162378]
Affects: fedora-37 [bug 2162391]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2162370]


Created golang-github-zyedidia-json5 tracking bugs for this issue:

Affects: fedora-36 [bug 2162379]
Affects: fedora-37 [bug 2162392]


Created grafana tracking bugs for this issue:

Affects: fedora-36 [bug 2162380]


Created micro tracking bugs for this issue:

Affects: epel-8 [bug 2162371]
Affects: fedora-36 [bug 2162381]
Affects: fedora-37 [bug 2162393]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-36 [bug 2162382]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-36 [bug 2162383]


Created pcs tracking bugs for this issue:

Affects: fedora-36 [bug 2162384]
Affects: fedora-37 [bug 2162394]


Created pgadmin4 tracking bugs for this issue:

Affects: fedora-37 [bug 2162395]


Created python-ipyparallel tracking bugs for this issue:

Affects: fedora-36 [bug 2162385]
Affects: fedora-37 [bug 2162396]


Created python-json5 tracking bugs for this issue:

Affects: epel-8 [bug 2162372]
Affects: fedora-36 [bug 2162386]
Affects: fedora-37 [bug 2162397]


Created rust-json5 tracking bugs for this issue:

Affects: fedora-36 [bug 2162387]
Affects: fedora-37 [bug 2162398]


Created seamonkey tracking bugs for this issue:

Affects: epel-8 [bug 2162373]
Affects: fedora-36 [bug 2162388]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-36 [bug 2162389]
Affects: fedora-37 [bug 2162399]


Created zuul tracking bugs for this issue:

Affects: fedora-36 [bug 2162390]
Comment 13 Sandro Mani 2023-01-19 15:37:15 UTC 
Also fixed in 1.0.2 [1].

[1] https://github.com/json5/json5/issues/295#issuecomment-1368766058
Comment 14 Josh Stone 2023-01-19 17:48:23 UTC 
(In reply to Avinash Hanwate from comment #12)
> Created rust-json5 tracking bugs for this issue:
> 
> Affects: fedora-36 [bug 2162387]
> Affects: fedora-37 [bug 2162398]

The json5 crate (https://crates.io/crates/json5) is independent, and a CWE like Prototype Pollution isn't possible in a static language like Rust anyway.

I suspect the golang and Python packages are similarly independent, but I haven't confirmed that.
Comment 24 errata-xmlrpc 2023-02-09 14:01:07 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0634 https://access.redhat.com/errata/RHSA-2023:0634
Comment 25 Product Security DevOps Team 2023-02-12 14:39:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-46175
Comment 26 errata-xmlrpc 2023-02-28 00:50:40 UTC 
This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934
Comment 27 errata-xmlrpc 2023-03-01 21:44:00 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
Comment 28 errata-xmlrpc 2023-03-01 21:46:29 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
Comment 29 errata-xmlrpc 2023-03-01 21:48:56 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
Comment 30 errata-xmlrpc 2023-03-01 21:49:54 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
Comment 31 errata-xmlrpc 2023-03-01 21:59:57 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
Comment 33 errata-xmlrpc 2023-03-23 02:16:13 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428
Comment 34 errata-xmlrpc 2023-06-22 19:52:05 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742