When the source object contains a property named _proto_ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype. Reference: https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213 https://snyk.io/vuln/SNYK-JS-IMMER-1019369
Upstream Fix: https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5
External References: https://snyk.io/vuln/SNYK-JS-IMMER-1019369
Statement: Red Hat Virtualization includes affected version of nodejs-immer, however the usage does not meet the conditions required to exploit the flaw, therefore the impact is Low. In OpenShift Container Platform 4.6 (OCP) the openshift4/ose-prometheus container ships the vulnerable version of the nodejs-immer, however the Prometheus react-ui is disabled, hence this flaw cannot be exploited. As openshift4/ose-prometheus container still packages the vulnerable code, this component is affected with impact Low. This may be fixed in a future release.
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:1169 https://access.redhat.com/errata/RHSA-2021:1169
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28477