Bug 2282247 (CVE-2024-29651)

Summary: CVE-2024-29651 json-schema-ref-parser: Prototype pollution issue
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aprice, caswilli, cdaley, chazlett, cmiranda, dhanak, dsimansk, eric.wittmann, gtanzill, janstey, jchui, jsamir, kaycoth, kingland, ktsao, kverlaen, matzew, mnovotny, mpierce, nboldt, pantinor, pcongius, pierdipi, rguimara, rhuss, rtaniwa, tkral
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: json-schema-ref-parser 11.2.0 Doc Type: ---
Doc Text:
A prototype pollution flaw was found in the API Dev Tools json-schema-ref-parser. This flaw allows a remote attacker to cause a denial of service, Cross-site scripting, or arbitrary code via the bundle(), parse(), resolve(), and dereference() functions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2282252    

Description Pedro Sampaio 2024-05-21 20:05:33 UTC 
A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions.

References:
https://github.com/advisories/GHSA-5f97-h2c2-826q
https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad