A vulnerability was found in js-yaml before version 3.13.1. An Arbitrary Code Execution when an object with an executable toString() property is used as a map key, it will execute that function. This happens only for load(), which should not be used with untrusted data anyway. safeLoad() is not affected because it can't parse functions. References: https://snyk.io/vuln/SNYK-JS-JSYAML-174129 Upstream Patch: https://github.com/nodeca/js-yaml/pull/480
Created nodejs-js-yaml tracking bugs for this issue: Affects: epel-all [bug 1702349] Affects: fedora-all [bug 1702350]
Statement: This vulnerability has been rated Moderate as it requires the use of js-yaml's load() function with untrusted input, which is known to be unsafe. Untrusted input should be parsed with js-yaml's safeLoad() function instead. The kibana RPM shipped in OpenShift Container Platform (OCP), bundles the Node.js package js-yaml. The kibana RPM shipped in all versions of OCP is not affected by this vulnerability, as it uses safeLoad() instead of the vulnerable load() function. The js-yaml RPM was shipped in OCP until it was removed in version 3.11. This RPM is not used by any container images in OCP.
This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details