Описание
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.
Prototype pollution has been discovered in object-path NodeJS library. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.
Отчет
- OpenShift Container Platform components Thanos and Prometheus shipped with versions before 4.8 had the affected object-path library. Those versions are out of the support scope for Moderate and Low impact vulnerabilities because they are already in the maintenance support phase, hence the affected components has been marked as ooss.
- Because Service Telemetry Framework1.2 will be retiring soon and the flaw's impact is lower, no update will be provided at this time for STF1.2's service-telemetry-operator-container and smart-gateway-operator-container.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | servicemesh-prometheus | Out of support scope | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/application-ui-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/grc-ui-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/mcm-topology-api-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-api-rhel8 | Affected | ||
| Red Hat A-MQ Online | io.enmasse-enmasse | Out of support scope | ||
| Red Hat Decision Manager 7 | org.optaweb.employeerostering-optaweb-employee-rostering | Not affected | ||
| Red Hat Decision Manager 7 | org.optaweb.vehiclerouting-optaweb-vehicle-routing | Not affected | ||
| Red Hat JBoss Data Grid 7 | org.infinispan-infinispan-management-console | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
This affects the package object-path before 0.11.6. A type confusion v ...
Уязвимость модуля Node Object-path, связанная с ошибками преобразования типов данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
EPSS
8.6 High
CVSS3