This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different. References: https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb https://github.com/mariocasciaro/object-path%230116 https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:3873 https://access.redhat.com/errata/RHSA-2021:3873
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23434
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2022:0856 https://access.redhat.com/errata/RHSA-2022:0856