Описание
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
A flaw was found in Nodejs's mixin-deep prior to versions 1.3.2 and 2.0.0. The mixin-deep function could be used to add or modify properties of the Object.prototype. The highest threat from this vulnerability is to system availability.
Отчет
In Red Hat Software Collections and Red Hat Enterprise Linux 8, nodejs-mixin-deep is bundled into nodejs-nodemon, and is not meant to be accessed outside of that package. Within nodemon, this flaw is rated with a Low severity. In Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the mixin-deep package. The vulnerable code is not used hence the impact to OpenShift Logging by this vulnerability is Low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:10/nodejs-nodemon | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nodejs:14/nodejs-nodemon | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | kibana | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | kibana | Fix deferred | ||
| Red Hat Quay 3 | quay | Not affected | ||
| Red Hat Software Collections | rh-nodejs10-nodejs-nodemon | Fix deferred | ||
| Red Hat Software Collections | rh-nodejs14-nodejs-nodemon | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0549 | 16.02.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs12-nodejs | Fixed | RHSA-2021:0485 | 11.02.2021 |
Показывать по
Дополнительная информация
Статус:
7 High
CVSS3
Связанные уязвимости
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3 ...
7 High
CVSS3