Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-7774

Опубликовано: 25 окт. 2020
Источник: redhat
CVSS3: 7.3
EPSS Низкий

Описание

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.

Отчет

In OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and OpenShift distributed tracing the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-y18n library to authenticated users only, therefore the impact is Low. In Red Hat OpenShift Container Storage 4 the noobaa-core container includes the affected version of y18n as a dependency of yargs. However, no unsafe usage found where the module accepts untrusted input and hence this issue has been rated as having a security impact of Low.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Not affected
OpenShift Service Mesh 1kialiAffected
OpenShift Service Mesh 1servicemesh-grafanaFix deferred
OpenShift Service Mesh 2.0kialiNot affected
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
Red Hat Advanced Cluster Management for Kubernetes 2y18nAffected
Red Hat OpenShift Container Platform 3.11openshift3/ose-consoleFix deferred
Red Hat OpenShift Container Platform 4openshift4/ose-consoleFix deferred
Red Hat OpenShift Container Platform 4openshift4/ose-prometheusFix deferred
Red Hat Openshift Data Foundation 4noobaa-core-containerAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-915
https://bugzilla.redhat.com/show_bug.cgi?id=1898680nodejs-y18n: prototype pollution vulnerability

EPSS

Процентиль: 71%
0.00676
Низкий

7.3 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-7774

CVSS3: 7.3
ubuntu
больше 4 лет назад

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

nvd логотип

CVE-2020-7774

CVSS3: 7.3
nvd
больше 4 лет назад

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

debian логотип

CVE-2020-7774

CVSS3: 7.3
debian
больше 4 лет назад

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Proto ...

github логотип

GHSA-c4w7-xm78-47vh

CVSS3: 7.3
github
около 4 лет назад

Prototype Pollution in y18n

fstec логотип

BDU:2021-02865

CVSS3: 7.3
fstec
около 4 лет назад

Уязвимость библиотеки y18n прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»

EPSS

Процентиль: 71%
0.00676
Низкий

7.3 High

CVSS3