All versions of package node-forge before 0.10.0 are vulnerable to Prototype Pollution via the util.setPath function. References: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293 https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
Upstream patch - https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756 Removing the vulnerable util.setPath function
External References: https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
Statement: In Red Hat Openshift Container Storage 4 the noobaa-core container includes the affected version of node-forge as a dependency of google-p12-pem, however the vulnerable function `util.setPath` is not being used and hence this issue has been rated as having a security impact of Low. In OpenShift Container Platform (OCP) the prometheus container is behind OpenShift OAuth restricting access to the vulnerable node-forge library to authenticated users only, therefore the impact is Low.
This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 Via RHSA-2020:5605 https://access.redhat.com/errata/RHSA-2020:5605
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7720