Bug 2083778 (CVE-2021-42581) - CVE-2021-42581 ramda: prototype poisoning
Summary: CVE-2021-42581 ramda: prototype poisoning
Keywords:
Status: NEW
Alias: CVE-2021-42581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2083780 2083781 2083782 2083783 2083784 2084571 2093137 2093138
Blocks: 2083813
TreeView+ depends on / blocked
 
Reported: 2022-05-10 18:31 UTC by Anten Skrabec
Modified: 2023-10-25 17:21 UTC (History)
37 users (show)

Fixed In Version: ramda 0.27.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:03 UTC

Description Anten Skrabec 2022-05-10 18:31:32 UTC 
Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function.

https://github.com/ramda/ramda/pull/3192
https://jsfiddle.net/3pomzw5g/2/
Comment 1 Anten Skrabec 2022-05-10 18:38:38 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-34 [bug 2083781]
Affects: fedora-35 [bug 2083783]
Affects: fedora-all [bug 2083780]


Created mkdocs-material tracking bugs for this issue:

Affects: fedora-34 [bug 2083782]
Affects: fedora-35 [bug 2083784]
Comment 22 errata-xmlrpc 2023-06-15 15:59:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Note You need to log in before you can comment on or make changes to this bug.