A vulnerability was found in NOdejs set-value, where set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads. Reference: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E
Created nodejs-set-value tracking bugs for this issue: Affects: fedora-all [bug 1795480]
Red Hat Quay 3.2 uses nodejs-set-value 2.0.1 which has a fix for this vulnerability.
Statement: While OpenShift Container Platform (OCP) contains the affected nodejs-set-value code, it's added as a dependency of Kibana 5. Similar issue about prototype pollution [1] have been fixed, but no known attack vector was found, so we're rating this issue as Low for OCP. In Red Hat Software Collections and Red Hat Enterprise Linux 8, nodejs-set-value is bundled into nodejs-nodemon, and is not meant to be accessed outside of that package. Within nodemon, this flaw is rated with a Low severity. [1] CVE-2019-10744 https://www.elastic.co/community/security
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0485 https://access.redhat.com/errata/RHSA-2021:0485
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10747
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0549 https://access.redhat.com/errata/RHSA-2021:0549