Описание
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
A prototype pollution flaw was found in nodejs-dot-prop. The function set could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or proto paths. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers are behind OpenShift OAuth restricting access to the vulnerable dot-prop library to authenticated users only, therefore the impact is Low. Red Hat Openshift Container Storage 4 is not affected by this vulnerability, as it already includes patched version of dot-prop(v5.2.0) in noobaa-core container.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | servicemesh-grafana | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nodejs:14/nodejs | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-grafana | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-prometheus | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/mcg-core-rhel8 | Not affected | ||
| Red Hat Software Collections | rh-nodejs14-nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2020:4272 | 19.10.2020 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0548 | 16.02.2021 |
| Red Hat Enterprise Linux 8.1 Extended Update Support | nodejs | Fixed | RHSA-2020:4903 | 04.11.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs12-nodejs | Fixed | RHSA-2020:5086 | 12.11.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Prototype pollution vulnerability in dot-prop npm package versions bef ...
Уязвимость библиотеки dot-prop прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»
EPSS
7.3 High
CVSS3