All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. Reference: https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402 Upstream patch: https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03
OpenShift ServiceMesh kiali only packages datatable.net in 1.1.x which is OOSS for this CVE. In OSSM 2.0.x kiali removed the dependency.
External References: https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402
Statement: OpenShift console container does package a vulnerable version of datatables.net, however as access to the vulnerable component is restricted via OpenShift OAuth the vulnerability is rated with an impact of `Low`.
Upstream fix: https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:1184 https://access.redhat.com/errata/RHSA-2021:1184
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:1169 https://access.redhat.com/errata/RHSA-2021:1169
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:1186 https://access.redhat.com/errata/RHSA-2021:1186
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28458