Affected versions of minimist ( <=1.2.5 ) are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.
Upstream bug page: https://github.com/substack/minimist/issues/164
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 2073585] Created nodejs-minimist tracking bugs for this issue: Affects: epel-all [bug 2073584] Affects: fedora-all [bug 2073583]
This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-44906
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:5893 https://access.redhat.com/errata/RHSA-2022:5893
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:5892 https://access.redhat.com/errata/RHSA-2022:5892
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2022:5894 https://access.redhat.com/errata/RHSA-2022:5894
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2022:5928 https://access.redhat.com/errata/RHSA-2022:5928
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069
This issue has been addressed in the following products: RHPAM 7.13.1 async Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044
This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321
I'm investigating some flaws that came up on a customer's vuln scanner. This one was especially flagged because there is a big disparity between CVSS and impact rating but no justification (CVSS comment or statement) provided. I've re-evaluated this flaw and come to the conclusion that our rating was significantly wrong. As a result I am now revising the impact (from moderate to critical) and CVSS (5.6 to 9.8) long after work began on a flaw. As this is an unusual situation, I am listing my reasoning here: * The analyst who owned this flaw no longer works here, so I can't ask them to provide justification of the initial lower score. * Both upstream and NVD agree on a 9.8 CVSS - making it Critical impact. * The Upstream and NVD advisories link to a SNYK advisory, but this is for a DIFFERENT CVE! That link is now at least tagged as "Not Applicable" on NVD. My guess is that whoever published this CVE accidentally linked to an incorrect page which contributed to this mixup in the first place. * There also seems to be something wrong on SNYK's advisory. On the right side of https://security.snyk.io/vuln/SNYK-ROCKY8-NODEJSPACKAGING-3195467 (which does associate with this CVE) it shows a SNYK CVSS of simply "MEDIUM". Immediately underneath that it indicates the NVD rating is "9.8 CRITICAL". The problem is that expanding details for both show *identical* sub-score picks (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). * It seems that the organization behind minimist was renamed/restructured causing loss of some data. The upstream issue page on GitHub no longer exists. The new location for the repo appears to be https://github.com/minimistjs/minimist whereas the old one was https://github.com/substack/minimist. I haven't found any cached copies of the issue page. Honestly, I feel lucky that the GitHub security advisory still exists :| * With the very limited remaining information, I don't see any reason to keep the impact so low.
(In reply to Nick Tait from comment #40) Hi Nick, While this might be issue for miniminst on itself, could you please take closer look at Node.js / Nodemon, which bundles these libraries? I'd be surprised if the bug is exploitable there and it would justified the change from Medium to Critical. Closer analysis would help us to determine how important might be the fixes in EUS releases for Node.js / Nodemon. These are the tickets in question: https://bugzilla.redhat.com/buglist.cgi?quicksearch=2148973%2C2148979%2C2148977%2C2148975%2C2148970%2C2148959%2C2148960&list_id=13085826 Thx for your help
@ntait since you have changed the rating back to medium, are you going to update also the trackers?
(In reply to Vít Ondruch from comment #42) > @ntait since you have changed the rating back to medium, are you > going to update also the trackers? Oh, they were updates, I have just not noticed. Thx and sorry for the noise
Vit, after getting strong reactions from a number of sources (including customers) I realized just how a terrible choice I had made. Worked with my team on writing a justification then restored the impact rating. My apologies to engineering for all the chaos and extra spam that I caused. Your initial question was valid, no worries!
(In reply to Nick Tait from comment #44) No need for apologies. Thank you for your hard work.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Hello team, I see an OpenShift component is shown 'affected' but the status is shown 'Fix deferred'. Red Hat OpenShift Container Platform 4 openshift4/ose-metering-hadoop Fix deferred. Can someone please tell me that it's rejected by Red Hat and also any particular reason? This would help us assist the CU better. Thanks in advance.