Описание
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
A flaw was found in the serialize-javascript before version 3.1.0. This flaw allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js."
Отчет
Red Hat Quay includes serialize-javascript as a dependency of webpack which is only used at build time. The vulnerable library is not used at runtime meaning this has a low impact on Red Hat Quay. The currently supported versions of Container Native Virtualization 2 are not affected by this flaw. However, version 2.0, which is no longer supported, is affected. In OpenShift distributed tracing there is bundled vulnerable version of the serialize-javascript Nodejs package, however access to the vulnerable function is restricted and protected by OpenShift OAuth, hence the impact by this vulnerability is reduced to Low. In Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the serialize-javascript package. The vulnerable code is not used hence the impact to OpenShift Logging by this vulnerability is Low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-grafana | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-prometheus | Fix deferred | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-all-in-one-rhel8 | Fix deferred | ||
| Red Hat OpenShift Virtualization 1 | kubevirt-web-ui-container | Will not fix | ||
| Red Hat OpenShift Virtualization 2 | kubevirt-web-ui-container | Not affected | ||
| Red Hat Quay 3 | nodejs-serialize-javascript | Fix deferred | ||
| OpenShift Service Mesh 1.0 | servicemesh-grafana | Fixed | RHSA-2020:2861 | 07.07.2020 |
| OpenShift Service Mesh 1.1 | servicemesh-grafana | Fixed | RHSA-2020:2796 | 01.07.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Insecure serialization leading to RCE in serialize-javascript
Уязвимость функции deleteFunctions библиотеки serialize-javascript прикладного программного обеспечения Аврора Центр, связанная с ошибками управления генерацией кода, позволяющая нарушителю выполнить произвольный код
EPSS
8.1 High
CVSS3