Bug 2035012 (CVE-2021-23450) - CVE-2021-23450 dojo: prototype pollution via the setObject function
Summary: CVE-2021-23450 dojo: prototype pollution via the setObject function
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-23450
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2035013
Blocks: 2035014
TreeView+ depends on / blocked
 
Reported: 2021-12-22 17:42 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-22 19:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-12-22 19:47:49 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-12-22 17:42:35 UTC
All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.

References:
https://security.snyk.io/vuln/SNYK-JS-DOJO-1535223
https://github.com/dojo/dojo/blob/4c39c14349408fc8274e19b399ffc660512ed07c/_base/lang.js#23L172

Comment 1 Guilherme de Almeida Suckevicz 2021-12-22 17:42:45 UTC
Created dojo tracking bugs for this issue:

Affects: epel-all [bug 2035013]

Comment 2 Garrett Tucker 2021-12-22 18:55:36 UTC
RHEL 7 IPA is unaffected. While IPA does make use of Dojo, it is limited in its scope and does not use the affected setObject function. While it is possible to create a plugin / extension for ipa that could make use of the setObject function in dojo, this would require privileges that are already escalated to that of an ipa admin at minimum which would provide more control than exploitation of the flaw.

Comment 3 Product Security DevOps Team 2021-12-22 19:47:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23450


Note You need to log in before you can comment on or make changes to this bug.