Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution. Under certain circumstances an attacker can add or modify properties that will exist on all objects. External References: https://nodesecurity.io/advisories/612 https://hackerone.com/reports/311333
Created nodejs-deep-extend tracking bugs for this issue: Affects: epel-all [bug 1578247] Affects: fedora-all [bug 1578248]
Fix: https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
NodeJS is shipped in Openshift Enterprise 3.9 as ImageStreams. Those ImageStreams are the RH Software Collection images. Setting Openshift Enterprise 3 as not affected.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625