Bug 2024702 (CVE-2021-3918) - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
Summary: CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3918
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2039650 (view as bug list)
Depends On: 2175235 2024863 2024890 2024895 2024896 2024897 2024918 2024919 2024920 2024921 2024922 2025510 2025511 2025512 2025513 2025659 2025660 2025661 2026033 2026034 2026035 2026036 2026037 2026038 2026039 2026040 2026041 2026042 2026043 2026044 2027633 2027634 2027635 2031774 2033028 2045877 2053657 2053658 2053660 2086795 2086796 2086797 2086798 2087165
Blocks: 2024703
TreeView+ depends on / blocked
 
Reported: 2021-11-18 17:32 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-03-03 16:05 UTC (History)
55 users (show)

Fixed In Version: nodejs-json-schema 0.4.0, node 16.11.0, npm 8.1.0
Doc Type: If docs needed, set a value
Doc Text:
The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2022-06-09 04:30:32 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5171 0 None None None 2021-12-15 19:28:13 UTC
Red Hat Product Errata RHSA-2022:0041 0 None None None 2022-01-06 18:40:12 UTC
Red Hat Product Errata RHSA-2022:0246 0 None None None 2022-01-25 09:24:06 UTC
Red Hat Product Errata RHSA-2022:0350 0 None None None 2022-02-01 21:14:57 UTC
Red Hat Product Errata RHSA-2022:0595 0 None None None 2022-02-22 21:58:06 UTC
Red Hat Product Errata RHSA-2022:0735 0 None None None 2022-03-03 06:58:07 UTC
Red Hat Product Errata RHSA-2022:4914 0 None None None 2022-06-06 09:27:05 UTC
Red Hat Product Errata RHSA-2022:4956 0 None None None 2022-06-09 02:06:07 UTC
Red Hat Product Errata RHSA-2022:7055 0 None None None 2022-10-19 12:56:04 UTC

Description Guilherme de Almeida Suckevicz 2021-11-18 17:32:07 UTC 
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

Reference:
https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9
Comment 2 Cedric Buissart 2021-11-19 09:48:12 UTC 
Upstream patches:
https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
Comment 4 Cedric Buissart 2021-11-19 10:19:21 UTC 
Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2024863]
Comment 7 Cedric Buissart 2021-11-19 13:03:17 UTC 
Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2024895]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2024896]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2024897]
Comment 17 errata-xmlrpc 2021-12-15 19:28:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171
Comment 18 errata-xmlrpc 2022-01-06 18:40:09 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0041 https://access.redhat.com/errata/RHSA-2022:0041
Comment 20 Aditya Soni 2022-01-21 03:55:44 UTC 
*** Bug 2039650 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2022-01-25 09:24:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246
Comment 22 errata-xmlrpc 2022-02-01 21:14:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350
Comment 24 errata-xmlrpc 2022-02-22 21:58:01 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:0595 https://access.redhat.com/errata/RHSA-2022:0595
Comment 25 errata-xmlrpc 2022-03-03 06:58:04 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735
Comment 26 errata-xmlrpc 2022-06-06 09:27:01 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914
Comment 27 errata-xmlrpc 2022-06-09 02:06:03 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 28 Product Security DevOps Team 2022-06-09 04:30:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3918
Comment 29 errata-xmlrpc 2022-10-19 12:56:00 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.6

Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055
Note You need to log in before you can comment on or make changes to this bug.