Bug 1999810 (CVE-2021-23434) - CVE-2021-23434 object-path: Type confusion vulnerability can lead to a bypass of CVE-2020-15256
Summary: CVE-2021-23434 object-path: Type confusion vulnerability can lead to a bypass...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23434
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1999365 2000304 2000305 2006405 2006406 2006872 2006873 2006874 2006875 2006876 2006877 2006878 2006879 2006880 2006881 2006891 2006892 2006893 2006894 2006895 2006896
Blocks: 1999811
TreeView+ depends on / blocked
 
Reported: 2021-08-31 18:21 UTC by Pedro Sampaio
Modified: 2023-09-01 01:25 UTC (History)
46 users (show)

Fixed In Version: object-path 0.11.6
Doc Type: If docs needed, set a value
Doc Text:
Prototype pollution has been discovered in object-path NodeJS library. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Clone Of:
Environment:
Last Closed: 2021-10-15 02:08:18 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3873 0 None None None 2021-10-14 22:39:01 UTC
Red Hat Product Errata RHSA-2022:0856 0 None None None 2022-03-14 13:56:47 UTC

Description Pedro Sampaio 2021-08-31 18:21:35 UTC 
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

References:

https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb
https://github.com/mariocasciaro/object-path%230116
https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423
Comment 7 errata-xmlrpc 2021-10-14 22:38:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:3873 https://access.redhat.com/errata/RHSA-2021:3873
Comment 8 Product Security DevOps Team 2021-10-15 02:08:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23434
Comment 10 errata-xmlrpc 2022-03-14 13:56:43 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2022:0856 https://access.redhat.com/errata/RHSA-2022:0856
Note You need to log in before you can comment on or make changes to this bug.