ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result. References: https://security-tracker.debian.org/tracker/CVE-2019-20149 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20149 https://github.com/jonschlinkert/kind-of/issues/30 https://github.com/jonschlinkert/kind-of/pull/31
Created nodejs-kind-of tracking bugs for this issue: Affects: fedora-all [bug 1959722]
Versions of `kind-of` 6.x prior to 6.0.3 are vulnerable.
Analysis is complete for AAP components and as a result, I found that though its uses the vulnerable version of nodeJS kind-of lib, none of the components seem to be using the ctorName functionality in index.js or kind-of / kindOf functionality for type checking. Hence, lowering the severity from medium to low.
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Via RHSA-2021:3454 https://access.redhat.com/errata/RHSA-2021:3454
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20149