Описание
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
A flaw was found in nodejs-set-value. The function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or proto payloads. The highest threat from this vulnerability is to data confidentiality and integrity.
Отчет
While OpenShift Container Platform (OCP) contains the affected nodejs-set-value code, it's added as a dependency of Kibana 5. Similar issue about prototype pollution [1] have been fixed, but no known attack vector was found, so we're rating this issue as Low for OCP. In Red Hat Software Collections and Red Hat Enterprise Linux 8, nodejs-set-value is bundled into nodejs-nodemon, and is not meant to be accessed outside of that package. Within nodemon, this flaw is rated with a Low severity. OpenShift distributed tracing bundles vulnerable version of Nodejs set-value package, however the components are protected by OpenShift OAuth, hence the impact by this vulnerability is reduced to LOW. [1] CVE-2019-10744 https://www.elastic.co/community/security
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:10/nodejs-nodemon | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | kibana | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | kibana | Will not fix | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-all-in-one-rhel8 | Fix deferred | ||
| Red Hat Quay 3 | nodejs-set-value | Not affected | ||
| Red Hat Software Collections | rh-nodejs10-nodejs-nodemon | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0549 | 16.02.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs12-nodejs | Fixed | RHSA-2021:0485 | 11.02.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs12-nodejs-nodemon | Fixed | RHSA-2021:0485 | 11.02.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-nodejs12-nodejs | Fixed | RHSA-2021:0485 | 11.02.2021 |
Показывать по
Дополнительная информация
Статус:
4.2 Medium
CVSS3
Связанные уязвимости
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
set-value is vulnerable to Prototype Pollution in versions lower than ...
Уязвимость функции set библиотеки set-value прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»
4.2 Medium
CVSS3