2004944 – (CVE-2021-23440) CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747

Bug 2004944 (CVE-2021-23440) - CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747

Summary: CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-23440
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1999601 2004945 2006743 2012071 2012072 2012073 2012074 2012075 2012076 2012077 2012078 2012079 2012080 2012081 2013239 2013240 2013241 2016080
Blocks:	2004947
TreeView+	depends on / blocked

Reported:	2021-09-16 13:35 UTC by Marian Rehak
Modified:	2023-09-01 01:26 UTC (History)
CC List:	32 users (show)
Fixed In Version:	set-value 4.0.1
Doc Type:	If docs needed, set a value
Doc Text:	A type confusion vulnerability in nodejs-set-value can lead to a bypass of CVE-2019-10747. If the user-provided keys used in the path parameter are arrays, the function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ payloads. This vulnerability can impact data confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:	2021-11-08 14:50:46 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:5038	0	None	None	None	2021-12-09 00:47:14 UTC
Red Hat Product Errata	RHSA-2022:6156	0	None	None	None	2022-08-24 13:46:11 UTC

Description Marian Rehak 2021-09-16 13:35:03 UTC

A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

External Reference:

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212

Comment 1 Marian Rehak 2021-09-16 13:35:18 UTC

Created nodejs-set-value tracking bugs for this issue:

Affects: fedora-33 [bug 2004945]

Comment 2 Przemyslaw Roguski 2021-09-17 07:46:37 UTC

Downgrading the impact to Moderate, as this not qualify for Important severity Red Hat rating.

Comment 4 Przemyslaw Roguski 2021-09-22 10:21:50 UTC

Upstream PR and fix:
https://github.com/jonschlinkert/set-value/pull/33
https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452

Comment 14 errata-xmlrpc 2021-12-09 00:47:13 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:5038 https://access.redhat.com/errata/RHSA-2021:5038

Comment 15 errata-xmlrpc 2022-08-24 13:46:08 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156

Note You need to log in before you can comment on or make changes to this bug.

amctagga
amuller
anpicker
aos-bugs
bdettelb
bmontgom
eparis
erooth
etamir
ewolinet
extras-orphan
gghezzo
gparvin
hvyas
jburrell
jcantril
jokerman
jramanat
jwendell
mwringe
nbecker
nstielau
ocs-bugs
pahickey
periklis
ploffay
rcernich
spasquie
sponnaga
stcannon
twalsh
vkumar