Bug 1813309 (CVE-2019-10768) - CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection
Summary: CVE-2019-10768 AngularJS: Prototype pollution in merge function could result ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10768
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1958829 1958830 1958831 1848734 1848735 2112524 2112525 2129242
Blocks: 1813366
TreeView+ depends on / blocked
 
Reported: 2020-03-13 14:05 UTC by Michael Kaplan
Modified: 2023-01-25 12:29 UTC (History)
45 users (show)

Fixed In Version: angularjs 1.7.9
Doc Type: If docs needed, set a value
Doc Text:
A prototype pollution vulnerability was found in AngularJS. A remote attacker could abuse this flaw by providing malicious input to the merge() function by overriding or adding properties of the Object.prototype, allowing possible injection of code.
Clone Of:
Environment:
Last Closed: 2021-10-28 01:29:47 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8849 0 None None None 2022-12-07 19:25:29 UTC
Red Hat Product Errata RHSA-2022:8866 0 None None None 2022-12-07 20:27:00 UTC
Red Hat Product Errata RHSA-2023:0274 0 None None None 2023-01-25 12:29:49 UTC

Description Michael Kaplan 2020-03-13 14:05:33 UTC 
In AngularJS merge() function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

External Reference:

https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3
Comment 5 Jason Shepherd 2020-06-18 20:35:55 UTC 
Statement:

Whilst servicemesh-grafana, and grafana-container both include a vulnerable version of angular.js (v1.6.6) the impact is lowered due to Grafana not directly implementing the angular.merge function.
Comment 18 Lon Hohberger 2022-08-19 18:49:23 UTC 
This also affects Fedora, as far as I can tell. I issued a PR here: https://src.fedoraproject.org/rpms/python-XStatic-Angular/pull-request/1
Comment 20 errata-xmlrpc 2022-12-07 19:25:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:8849 https://access.redhat.com/errata/RHSA-2022:8849
Comment 21 errata-xmlrpc 2022-12-07 20:26:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8866 https://access.redhat.com/errata/RHSA-2022:8866
Comment 22 errata-xmlrpc 2023-01-25 12:29:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.0

Via RHSA-2023:0274 https://access.redhat.com/errata/RHSA-2023:0274
Note You need to log in before you can comment on or make changes to this bug.