Bug 1813344 (CVE-2020-7598) - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
Summary: CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-7598
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1813347 1813345 1813346 1816880 1826772 1826773 1826774 1826775 1826830 1826831 1826832 1826833 1849501 1849502 1849503 1849504 1849505 1849506 1849507 1849508 1853321 1853322 1853339 1853340 1853341
Blocks: 1813351
TreeView+ depends on / blocked
 
Reported: 2020-03-13 14:57 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-12-02 15:57 UTC (History)
44 users (show)

Fixed In Version: minimist 1.2.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-minimist, where it was tricked into adding or modifying properties of the Object.prototype using a "constructor" or "__proto__" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-06-02 17:20:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2900 0 None None None 2020-07-13 18:24:53 UTC
Red Hat Product Errata RHBA-2020:3095 0 None None None 2020-07-22 11:25:44 UTC
Red Hat Product Errata RHBA-2020:3149 0 None None None 2020-07-27 03:19:50 UTC
Red Hat Product Errata RHBA-2020:3269 0 None None None 2020-08-03 07:54:36 UTC
Red Hat Product Errata RHBA-2020:3529 0 None None None 2020-08-20 10:29:45 UTC
Red Hat Product Errata RHBA-2020:3530 0 None None None 2020-08-20 10:23:40 UTC
Red Hat Product Errata RHSA-2020:2362 0 None None None 2020-06-02 15:36:24 UTC
Red Hat Product Errata RHSA-2020:2847 0 None None None 2020-07-07 09:12:08 UTC
Red Hat Product Errata RHSA-2020:2848 0 None None None 2020-07-07 09:23:12 UTC
Red Hat Product Errata RHSA-2020:2849 0 None None None 2020-07-07 09:14:59 UTC
Red Hat Product Errata RHSA-2020:2852 0 None None None 2020-07-07 09:39:41 UTC
Red Hat Product Errata RHSA-2020:2895 0 None None None 2020-07-13 10:48:09 UTC
Red Hat Product Errata RHSA-2020:2992 0 None None None 2020-07-27 18:49:40 UTC
Red Hat Product Errata RHSA-2020:3042 0 None None None 2020-07-21 14:32:57 UTC
Red Hat Product Errata RHSA-2020:3084 0 None None None 2020-07-21 19:28:59 UTC
Red Hat Product Errata RHSA-2020:3247 0 None None None 2020-08-04 13:15:58 UTC
Red Hat Product Errata RHSA-2020:4298 0 None None None 2020-10-27 16:23:57 UTC
Red Hat Product Errata RHSA-2021:2643 0 None None None 2021-07-14 07:07:52 UTC

Description Guilherme de Almeida Suckevicz 2020-03-13 14:57:10 UTC 
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.

Reference:
https://snyk.io/vuln/SNYK-JS-MINIMIST-559764

Upstream commit:
https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Comment 1 Guilherme de Almeida Suckevicz 2020-03-13 14:57:39 UTC 
Created nodejs-minimist tracking bugs for this issue:

Affects: epel-6 [bug 1813346]
Affects: epel-7 [bug 1813347]
Affects: fedora-all [bug 1813345]
Comment 3 Mark Cooper 2020-03-30 05:32:38 UTC 
ServiceMesh packages a vulnerable version of minimist as NodeJS dependencies in the following RPMs:
  - kiali 
      - v0.0.8 and v0.0.10
  - servicemesh-granfana 
      - v0.0.8 and v1.2.0
Comment 7 Jason Shepherd 2020-03-31 05:31:26 UTC 
Statement:

Red Hat Quay only includes minimist as a dependency of the test suites, and it not include it in the product. We may fix this issue in a future Red Hat Quay release.
Comment 8 Marco Benatto 2020-04-20 19:50:47 UTC 
External References:

https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
Comment 9 Marco Benatto 2020-04-22 14:21:49 UTC 
Upstream commit for nodejs:
https://github.com/nodejs/node/commit/40b559a376ae1db031132a86a76834decf6f0c2d
Comment 11 Marco Benatto 2020-04-22 15:43:10 UTC 
Upstream commit for npm:
https://github.com/npm/cli/commit/9c554fd8cd1e9aeb8eb122ccfa3c78d12af4097a
Comment 14 errata-xmlrpc 2020-06-02 15:36:22 UTC 
This issue has been addressed in the following products:

  Openshift Service Mesh 1.0
  OpenShift Service Mesh 1.0

Via RHSA-2020:2362 https://access.redhat.com/errata/RHSA-2020:2362
Comment 15 Product Security DevOps Team 2020-06-02 17:20:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7598
Comment 16 Sam Fowler 2020-06-22 04:36:46 UTC 
Upstream minimist fixes:

https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab
Comment 19 errata-xmlrpc 2020-07-07 09:12:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2847 https://access.redhat.com/errata/RHSA-2020:2847
Comment 20 errata-xmlrpc 2020-07-07 09:14:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2849 https://access.redhat.com/errata/RHSA-2020:2849
Comment 21 errata-xmlrpc 2020-07-07 09:23:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2848 https://access.redhat.com/errata/RHSA-2020:2848
Comment 22 errata-xmlrpc 2020-07-07 09:39:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2852 https://access.redhat.com/errata/RHSA-2020:2852
Comment 23 errata-xmlrpc 2020-07-13 10:48:05 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:2895 https://access.redhat.com/errata/RHSA-2020:2895
Comment 24 errata-xmlrpc 2020-07-21 14:32:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3042 https://access.redhat.com/errata/RHSA-2020:3042
Comment 25 errata-xmlrpc 2020-07-21 19:28:56 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:3084 https://access.redhat.com/errata/RHSA-2020:3084
Comment 26 errata-xmlrpc 2020-07-27 18:49:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992
Comment 27 errata-xmlrpc 2020-08-04 13:15:55 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247
Comment 28 errata-xmlrpc 2020-10-27 16:23:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
Comment 33 errata-xmlrpc 2021-07-14 07:07:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:2643 https://access.redhat.com/errata/RHSA-2021:2643
Note You need to log in before you can comment on or make changes to this bug.