Bug 1922259 (CVE-2021-26707) - CVE-2021-26707 nodejs-merge-deep: Prototype pollution of Object.prototype via a constructor payload
Summary: CVE-2021-26707 nodejs-merge-deep: Prototype pollution of Object.prototype via...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-26707
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1925129
Blocks: 1922260
TreeView+ depends on / blocked
 
Reported: 2021-01-29 14:37 UTC by Pedro Sampaio
Modified: 2023-08-31 08:58 UTC (History)
18 users (show)

Fixed In Version: nodejs-merge-deep 3.03
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-01 20:41:57 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-01-29 14:37:26 UTC 
A flaw was found in merge-deep 3.0.2. A prototype pollution issue of Object.prototype via a constructor payload may lead to denial of service and other consequences.

References:

https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep
Comment 2 Przemyslaw Roguski 2021-02-01 14:19:34 UTC 
Most probably this is upstream PR:
https://github.com/jonschlinkert/merge-deep/pull/17/files
Comment 3 Przemyslaw Roguski 2021-02-01 14:19:37 UTC 
External References:

https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep
Comment 4 Przemyslaw Roguski 2021-02-04 13:00:28 UTC 
Statement:

In OpenShift Container Platform 4.6 (OCP) the openshift4/ose-prometheus container ships the vulnerable version of the merge-deep, however the Prometheus react-ui is disabled, hence this flaw cannot be exploited. As openshift4/ose-prometheus container still packages the vulnerable code, this component is affected with impact Low. This may be fixed in a future release.
Note You need to log in before you can comment on or make changes to this bug.