Bug 2040862 (CVE-2022-21824) - CVE-2022-21824 nodejs: Prototype pollution via console.table properties
Summary: CVE-2022-21824 nodejs: Prototype pollution via console.table properties
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-21824
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2040863 2040864 2040865 2040866 2040867 2042990 2042991 2042992 2042993 2042994 2042995 2046354 2046369 2052252 2086813 2086814 2086815 2086816 2087169 2132711 2132712 2150320 2150321
Blocks: 2040868
TreeView+ depends on / blocked
 
Reported: 2022-01-14 19:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-06-22 19:51 UTC (History)
25 users (show)

Fixed In Version: node 12.22.9, node 14.18.3, node 16.13.2, node 17.3.1
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-06-06 13:17:50 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:4914 0 None None None 2022-06-06 09:27:22 UTC
Red Hat Product Errata RHSA-2022:7044 0 None None None 2022-10-19 10:10:10 UTC
Red Hat Product Errata RHSA-2022:7830 0 None None None 2022-11-08 11:33:22 UTC
Red Hat Product Errata RHSA-2022:9073 0 None None None 2022-12-15 16:16:43 UTC
Red Hat Product Errata RHSA-2023:1742 0 None None None 2023-04-12 14:58:14 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:51:41 UTC

Description Guilherme de Almeida Suckevicz 2022-01-14 19:46:18 UTC
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

Reference:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

Comment 1 Guilherme de Almeida Suckevicz 2022-01-14 19:46:53 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2040867]
Affects: fedora-all [bug 2040863]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040864]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040865]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040866]

Comment 2 Cedric Buissart 2022-01-20 12:57:50 UTC
Upstream fix :
https://github.com/nodejs/node/commit/3454e797137b1706b11ff2f6f7fb60263b39396b

Comment 4 Cedric Buissart 2022-01-24 10:10:28 UTC
Hacker One report :
https://hackerone.com/reports/1431042

Comment 8 errata-xmlrpc 2022-06-06 09:27:19 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914

Comment 9 Product Security DevOps Team 2022-06-06 13:17:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21824

Comment 11 errata-xmlrpc 2022-10-19 10:10:06 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044

Comment 12 errata-xmlrpc 2022-11-08 11:33:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830

Comment 13 errata-xmlrpc 2022-12-15 16:16:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073

Comment 14 errata-xmlrpc 2023-04-12 14:58:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742

Comment 15 errata-xmlrpc 2023-06-22 19:51:38 UTC
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742


Note You need to log in before you can comment on or make changes to this bug.