1608140 – (CVE-2018-16492) CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties

Bug 1608140 (CVE-2018-16492) - CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties

Summary: CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modi...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-16492
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1608142 1608141 1616060
Blocks:	1608143
TreeView+	depends on / blocked

Reported:	2018-07-25 04:17 UTC by Sam Fowler
Modified:	2021-10-19 12:10 UTC (History)
CC List:	24 users (show)
Fixed In Version:	nodejs-extend 2.0.2, nodesj-extend 3.0.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:34:14 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:3917	0	None	None	None	2021-10-19 12:10:14 UTC

Description Sam Fowler 2018-07-25 04:17:13 UTC

nodejs-extend before versions 2.0.2 and 3.0.2 is vulnerable to prototype pollution. Utilities function can be tricked into modifying the prototype of "Object" when the attacker control part of the structure passed to these function. This can let an attacker add or modify existing property that will exist on all object.


External Reference:

https://snyk.io/vuln/npm:extend:20180424


Upstream Patch:

https://github.com/justmoon/node-extend/commit/0e68e71d93507fcc391e398bc84abd0666b28190


Upstream Pull Request:

https://github.com/justmoon/node-extend/pull/48

Comment 1 Sam Fowler 2018-07-25 04:18:01 UTC

Created nodejs-extend tracking bugs for this issue:

Affects: epel-7 [bug 1608142]
Affects: fedora-all [bug 1608141]

Comment 2 Pedro Yóssis Silva Barbosa 2018-08-14 20:10:16 UTC

More info about "Prototype Pollution": https://medium.com/intrinsic/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96

Comment 7 Jason Shepherd 2021-05-07 03:00:42 UTC

Statement:

Red Hat Quay includes 'extend' as a build time dependency. It's not used at runtime reducing the impact of this vulnerability to low.

Comment 9 errata-xmlrpc 2021-10-19 12:10:11 UTC

This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917

Note You need to log in before you can comment on or make changes to this bug.

ahardin
bdettelb
bleanhar
cbyrne
ccoleman
cmacedo
dedgar
dffrench
drusso
hhorak
jgoulding
jmadigan
jokerman
jorton
jshepherd
lgriffin
mchappel
ngough
piotr1212
pwright
sfowler
tomckay
trepel
zsvetlik