Описание
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
A flaw was found in nodejs-node-forge. A Prototype Pollution via the util.setPath function is possible.
Отчет
In Red Hat Openshift Container Storage 4 the noobaa-core container includes the affected version of node-forge as a dependency of google-p12-pem, however the vulnerable function util.setPath is not being used and hence this issue has been rated as having a security impact of Low.
In OpenShift Container Platform (OCP) the prometheus container is behind OpenShift OAuth restricting access to the vulnerable node-forge library to authenticated users only, therefore the impact is Low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift4/ose-prometheus | Not affected | ||
| Red Hat Ansible Tower 3.7 for RHEL 7 | ansible-tower-37/ansible-tower-rhel7 | Fixed | RHSA-2020:5249 | 30.11.2020 |
| Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 | ocs4/mcg-core-rhel8 | Fixed | RHSA-2020:5605 | 17.12.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
The package node-forge before 0.10.0 is vulnerable to Prototype Pollut ...
Уязвимость функции util.setPath библиотеки node-fetch прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»
EPSS
7.3 High
CVSS3