Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype. Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to. Reference: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2040867] Affects: fedora-all [bug 2040863] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040864] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040865] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040866]
Upstream fix : https://github.com/nodejs/node/commit/3454e797137b1706b11ff2f6f7fb60263b39396b
Hacker One report : https://hackerone.com/reports/1431042
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21824
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742