Bug 2066009 (CVE-2021-44906) - CVE-2021-44906 minimist: prototype pollution
Summary: CVE-2021-44906 minimist: prototype pollution
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-44906
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2071501 2073584 2071497 2071498 2071499 2071500 2071502 2073583 2073585 2073596 2073597 2073598 2073599 2087170 2125374 2125375 2125376 2125377 2125378 2125379 2125380 2148958 2148959 2148960 2148966 2148970 2148973 2148974 2148975 2148976 2148977 2148978 2148979
Blocks: 2066010
TreeView+ depends on / blocked
 
Reported: 2022-03-19 23:06 UTC by Nick Tait
Modified: 2024-03-18 17:58 UTC (History)
112 users (show)

Fixed In Version: minimist 1.2.6
Doc Type: If docs needed, set a value
Doc Text:
An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
Clone Of:
Environment:
Last Closed: 2022-05-06 00:15:30 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1546 0 None None None 2023-04-03 12:03:34 UTC
Red Hat Product Errata RHSA-2022:1739 0 None None None 2022-05-05 18:02:54 UTC
Red Hat Product Errata RHSA-2022:4914 0 None None None 2022-06-06 09:27:27 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:34:53 UTC
Red Hat Product Errata RHSA-2022:5892 0 None None None 2022-08-03 15:55:53 UTC
Red Hat Product Errata RHSA-2022:5893 0 None None None 2022-08-03 15:50:06 UTC
Red Hat Product Errata RHSA-2022:5894 0 None None None 2022-08-03 16:01:13 UTC
Red Hat Product Errata RHSA-2022:5928 0 None None None 2022-08-08 19:44:18 UTC
Red Hat Product Errata RHSA-2022:6813 0 None None None 2022-10-05 10:45:56 UTC
Red Hat Product Errata RHSA-2022:7044 0 None None None 2022-10-19 10:12:47 UTC
Red Hat Product Errata RHSA-2022:8652 0 None None None 2022-11-28 14:39:40 UTC
Red Hat Product Errata RHSA-2022:9073 0 None None None 2022-12-15 16:16:51 UTC
Red Hat Product Errata RHSA-2023:0050 0 None None None 2023-01-09 14:50:46 UTC
Red Hat Product Errata RHSA-2023:0321 0 None None None 2023-01-23 15:19:29 UTC
Red Hat Product Errata RHSA-2023:0612 0 None None None 2023-02-06 19:39:32 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:42:51 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:45:15 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:47:45 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:50:32 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 21:58:41 UTC
Red Hat Product Errata RHSA-2023:1533 0 None None None 2023-03-30 12:35:42 UTC
Red Hat Product Errata RHSA-2023:1742 0 None None None 2023-04-12 14:58:22 UTC

Description Nick Tait 2022-03-19 23:06:18 UTC
Affected versions of minimist ( <=1.2.5 ) are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.

Comment 1 Nick Tait 2022-03-19 23:10:47 UTC
Upstream bug page: https://github.com/substack/minimist/issues/164

Comment 5 Sage McTaggart 2022-04-08 21:03:33 UTC
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2073585]


Created nodejs-minimist tracking bugs for this issue:

Affects: epel-all [bug 2073584]
Affects: fedora-all [bug 2073583]

Comment 10 errata-xmlrpc 2022-05-05 18:02:48 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739

Comment 11 Product Security DevOps Team 2022-05-06 00:15:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44906

Comment 14 errata-xmlrpc 2022-06-06 09:27:22 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914

Comment 15 errata-xmlrpc 2022-08-03 15:46:09 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:5893 https://access.redhat.com/errata/RHSA-2022:5893

Comment 16 errata-xmlrpc 2022-08-03 15:50:01 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:5893 https://access.redhat.com/errata/RHSA-2022:5893

Comment 17 errata-xmlrpc 2022-08-03 15:55:47 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:5892 https://access.redhat.com/errata/RHSA-2022:5892

Comment 18 errata-xmlrpc 2022-08-03 16:01:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2022:5894 https://access.redhat.com/errata/RHSA-2022:5894

Comment 21 errata-xmlrpc 2022-08-08 19:44:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:5928 https://access.redhat.com/errata/RHSA-2022:5928

Comment 22 errata-xmlrpc 2022-08-10 10:34:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069

Comment 31 errata-xmlrpc 2022-10-05 10:45:49 UTC
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813

Comment 32 errata-xmlrpc 2022-10-19 10:12:42 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044

Comment 34 errata-xmlrpc 2022-11-28 14:39:36 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652

Comment 36 errata-xmlrpc 2022-12-15 16:16:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073

Comment 37 errata-xmlrpc 2023-01-09 14:50:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050

Comment 38 errata-xmlrpc 2023-01-23 15:19:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321

Comment 40 Nick Tait 2023-01-27 21:48:17 UTC
I'm investigating some flaws that came up on a customer's vuln scanner. This one was especially flagged because there is a big disparity between CVSS and impact rating but no justification (CVSS comment or statement) provided. I've re-evaluated this flaw and come to the conclusion that our rating was significantly wrong. As a result I am now revising the impact (from moderate to critical) and CVSS (5.6 to 9.8) long after work began on a flaw.

As this is an unusual situation, I am listing my reasoning here:
* The analyst who owned this flaw no longer works here, so I can't ask them to provide justification of the initial lower score.
* Both upstream and NVD agree on a 9.8 CVSS - making it Critical impact.
* The Upstream and NVD advisories link to a SNYK advisory, but this is for a DIFFERENT CVE! That link is now at least tagged as "Not Applicable" on NVD. My guess is that whoever published this CVE accidentally linked to an incorrect page which contributed to this mixup in the first place.
* There also seems to be something wrong on SNYK's advisory. On the right side of https://security.snyk.io/vuln/SNYK-ROCKY8-NODEJSPACKAGING-3195467 (which does associate with this CVE) it shows a SNYK CVSS of simply "MEDIUM". Immediately underneath that it indicates the NVD rating is "9.8 CRITICAL". The problem is that expanding details for both show *identical* sub-score picks (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
* It seems that the organization behind minimist was renamed/restructured causing loss of some data. The upstream issue page on GitHub no longer exists. The new location for the repo appears to be https://github.com/minimistjs/minimist whereas the old one was https://github.com/substack/minimist. I haven't found any cached copies of the issue page. Honestly, I feel lucky that the GitHub security advisory still exists :|
* With the very limited remaining information, I don't see any reason to keep the impact so low.

Comment 41 Vít Ondruch 2023-01-30 10:48:22 UTC
(In reply to Nick Tait from comment #40)
Hi Nick,

While this might be issue for miniminst on itself, could you please take closer look at Node.js / Nodemon, which bundles these libraries? I'd be surprised if the bug is exploitable there and it would justified the change from Medium to Critical. Closer analysis would help us to determine how important might be the fixes in EUS releases for Node.js / Nodemon. These are the tickets in question:

https://bugzilla.redhat.com/buglist.cgi?quicksearch=2148973%2C2148979%2C2148977%2C2148975%2C2148970%2C2148959%2C2148960&list_id=13085826

Thx for your help

Comment 42 Vít Ondruch 2023-02-02 07:36:14 UTC
@ntait since you have changed the rating back to medium, are you going to update also the trackers?

Comment 43 Vít Ondruch 2023-02-02 08:27:06 UTC
(In reply to Vít Ondruch from comment #42)
> @ntait since you have changed the rating back to medium, are you
> going to update also the trackers?

Oh, they were updates, I have just not noticed. Thx and sorry for the noise

Comment 44 Nick Tait 2023-02-03 00:39:06 UTC
Vit, after getting strong reactions from a number of sources (including customers) I realized just how a terrible choice I had made. Worked with my team on writing a justification then restored the impact rating. My apologies to engineering for all the chaos and extra spam that I caused. Your initial question was valid, no worries!

Comment 45 Vít Ondruch 2023-02-03 09:27:01 UTC
(In reply to Nick Tait from comment #44)
No need for apologies. Thank you for your hard work.

Comment 46 errata-xmlrpc 2023-02-06 19:39:28 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612

Comment 47 errata-xmlrpc 2023-03-01 21:42:46 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043

Comment 48 errata-xmlrpc 2023-03-01 21:45:11 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044

Comment 49 errata-xmlrpc 2023-03-01 21:47:40 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045

Comment 50 errata-xmlrpc 2023-03-01 21:50:28 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047

Comment 51 errata-xmlrpc 2023-03-01 21:58:37 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049

Comment 52 errata-xmlrpc 2023-03-30 12:35:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533

Comment 53 errata-xmlrpc 2023-04-12 14:58:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742

Comment 54 shashivardhan 2024-02-22 08:36:50 UTC
Hello team,

I see an OpenShift component is shown 'affected' but the status is shown 'Fix deferred'. 
Red Hat OpenShift Container Platform 4	openshift4/ose-metering-hadoop	Fix deferred. 

Can someone please tell me that it's rejected by Red Hat and also any particular reason? 
This would help us assist the CU better. Thanks in advance.


Note You need to log in before you can comment on or make changes to this bug.