A vulnerability was found in nodejs dot-prop, where set is vulnerable to Prototype Pollution in versions lower than 5.1.0. The function set could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ paths. Reference: https://hackerone.com/reports/719856 Upstream commit: https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2
Created nodejs-dot-prop tracking bugs for this issue: Affects: fedora-all [bug 1868197]
Only openshift4/grafana packages a vulnerable version of nodejs-dot-prop (v4.2.0). The version in OpenShift 3.11 only includes dot-prop as a dev dependency and is not present at runtime. A vulnerable version of dot-prop (v4.2.0) is also present in openshift4/ose-prometheus in the react-ui, which whilst unused in OpenShift is still accessible via the URL path. Likewise, OpenShift ServiceMesh also packages a vulnerable version of nodejs-dot-prop (v4.2.0)
Also fix for v4.2.0 https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587 Although cannot update the fixed in version to 4.2.1 as it hasn't been tagged yet.
External References: https://hackerone.com/reports/719856
Statement: In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers are behind OpenShift OAuth restricting access to the vulnerable dot-prop library to authenticated users only, therefore the impact is Low. Red Hat Openshift Container Storage 4 is not affected by this vulnerability, as it already includes patched version of dot-prop(v5.2.0) in noobaa-core container.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4272 https://access.redhat.com/errata/RHSA-2020:4272
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8116
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:4903 https://access.redhat.com/errata/RHSA-2020:4903
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:5086 https://access.redhat.com/errata/RHSA-2020:5086
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548