This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true Upstream patch: https://github.com/yargs/y18n/pull/108
Created nodejs-y18n tracking bugs for this issue: Affects: fedora-all [bug 1898681]
nodejs as shipped with Red Hat Enterprise Linux 8, as well as Red Hat Software Collections, ships vulnerable versions of y18n (v3.2.1, v4.0.0) in node_modules for npm and yargs. However, it does not accept untrusted input remotely that could be used to trigger the flaw.
External References: https://snyk.io/vuln/SNYK-JS-Y18N-1021887
Flaw summary: There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Statement: In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-y18n library to authenticated users only, therefore the impact is Low. In Red Hat OpenShift Container Storage 4 the noobaa-core container includes the affected version of y18n as a dependency of yargs. However, no unsafe usage found where the module accepts untrusted input and hence this issue has been rated as having a security impact of Low.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:5305 https://access.redhat.com/errata/RHSA-2020:5305
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7774
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5499 https://access.redhat.com/errata/RHSA-2020:5499
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0421 https://access.redhat.com/errata/RHSA-2021:0421
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0551 https://access.redhat.com/errata/RHSA-2021:0551
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.7.0 on RHEL-8 Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438