Bug 2040862 (CVE-2022-21824) - CVE-2022-21824 nodejs: Prototype pollution via console.table properties
Summary: CVE-2022-21824 nodejs: Prototype pollution via console.table properties
Keywords:
Status: NEW
Alias: CVE-2022-21824
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2042990 2042993 2042995 2046369 2052252 2086813 2086814 2086815 2086816 2087169 2040863 2040864 2040865 2040866 2040867 2042991 2042992 2042994 2046354
Blocks: 2040868
TreeView+ depends on / blocked
 
Reported: 2022-01-14 19:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-19 08:20 UTC (History)
25 users (show)

Fixed In Version: node 12.22.9, node 14.18.3, node 16.13.2, node 17.3.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-01-14 19:46:18 UTC
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

Reference:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

Comment 1 Guilherme de Almeida Suckevicz 2022-01-14 19:46:53 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2040867]
Affects: fedora-all [bug 2040863]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040864]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040865]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2040866]

Comment 2 Cedric Buissart 2022-01-20 12:57:50 UTC
Upstream fix :
https://github.com/nodejs/node/commit/3454e797137b1706b11ff2f6f7fb60263b39396b

Comment 4 Cedric Buissart 2022-01-24 10:10:28 UTC
Hacker One report :
https://hackerone.com/reports/1431042


Note You need to log in before you can comment on or make changes to this bug.