1912463 – (CVE-2020-28282) CVE-2020-28282 nodejs-getobject: Prototype pollution could result in DoS and RCE

Bug 1912463 (CVE-2020-28282) - CVE-2020-28282 nodejs-getobject: Prototype pollution could result in DoS and RCE

Summary: CVE-2020-28282 nodejs-getobject: Prototype pollution could result in DoS and RCE

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-28282
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1912484 1912483
Blocks:	1912486
TreeView+	depends on / blocked

Reported:	2021-01-04 14:45 UTC by Michael Kaplan
Modified:	2023-08-30 23:59 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in nodejs-getobject. The `set()` function does not check for the type of object before assigning value to the property allowing an attacker to create a non-existent property or allow the manipulation of the property which could lead to a denial of service or a remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2021-01-07 18:27:39 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2021-01-04 14:45:57 UTC

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

External References:

https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282

Comment 1 Michael Kaplan 2021-01-04 15:07:46 UTC

Created nodejs-getobject tracking bugs for this issue:

Affects: epel-7 [bug 1912484]
Affects: fedora-32 [bug 1912483]

Comment 2 Przemyslaw Roguski 2021-01-05 13:50:14 UTC

Statement:

In OpenShift ServiceMesh (OSSM) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-getobject library to authenticated users only, therefore the impact is Low. OpenShift ServiceMesh (OSSM) 1.1 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.

Comment 5 Product Security DevOps Team 2021-01-07 18:27:39 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28282

Note You need to log in before you can comment on or make changes to this bug.