Bug 1649409 (CVE-2019-5413) - CVE-2019-5413 nodejs-morgan: Unescaped input in compile() function
Summary: CVE-2019-5413 nodejs-morgan: Unescaped input in compile() function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-5413
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1649412 1649411 1693096 1693097
Blocks: 1649410
TreeView+ depends on / blocked
 
Reported: 2018-11-13 15:09 UTC by Andrej Nemec
Modified: 2021-10-25 22:20 UTC (History)
9 users (show)

Fixed In Version: nodejs-morgan 1.9.1
Doc Type: If docs needed, set a value
Doc Text:
The Node.js morgan package, before version 1.9.1, does not properly sanitize input in the compile() function, allowing for potential execution of code. This vulnerability can only be exploited by attackers with the ability to provide input to the compile() function or in combination with another prototype pollution vulnerability.
Clone Of:
Environment:
Last Closed: 2021-10-25 22:20:48 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2018-11-13 15:09:48 UTC 
A code injection vulnerability was found in nodejs morgan before 1.9.1. An attacker could use the format parameter to inject arbitrary commands.

References:

https://hackerone.com/reports/390881
Comment 1 Andrej Nemec 2018-11-13 15:10:55 UTC 
Created nodejs-morgan tracking bugs for this issue:

Affects: epel-all [bug 1649412]
Affects: fedora-all [bug 1649411]
Comment 2 Sam Fowler 2019-03-27 04:38:14 UTC 
Upstream Patch:

https://github.com/expressjs/morgan/commit/e3296638
Comment 3 Sam Fowler 2019-03-27 07:40:21 UTC 
Statement:

This vulnerability affects the nodejs-morgan RPM, used by the openshift3/logging-auth-proxy container in OpenShift Container Platform versions 3.4 through 3.10. The openshift3/logging-auth-proxy container does not expose the vulnerable compile() function, hence this vulnerability can only be exploited in combination with another prototype pollution vulnerability.

Red Hat Product Security has rated this issue as having a security impact of Low. 

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/
Note You need to log in before you can comment on or make changes to this bug.