Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-44906

Опубликовано: 10 мар. 2022
Источник: redhat
CVSS3: 3.1
EPSS Низкий

Описание

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or proto payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.

Отчет

As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects. Within Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Not affected
Migration Toolkit for Containersrhmtc/openshift-migration-ui-rhel8Affected
Red Hat 3scale API Management Platform 23scale-apicast-operator-bundle-containerAffected
Red Hat 3scale API Management Platform 23scale-apicast-operator-containerAffected
Red Hat Enterprise Linux 8nodejs:12/nodejsOut of support scope
Red Hat Enterprise Linux 8nodejs:12/nodejs-nodemonOut of support scope
Red Hat Fuse 7io.apicurio-apicuritoWill not fix
Red Hat Fuse 7io.hawt-hawtio-onlineWill not fix
Red Hat Fuse 7io.syndesis-syndesis-uiWill not fix
Red Hat JBoss Enterprise Application Platform Expansion Packorg.jboss.hal-hal-parentNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-1321
https://bugzilla.redhat.com/show_bug.cgi?id=2066009minimist: prototype pollution

EPSS

Процентиль: 77%
0.01134
Низкий

3.1 Low

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-44906

CVSS3: 9.8
ubuntu
больше 3 лет назад

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

nvd логотип

CVE-2021-44906

CVSS3: 9.8
nvd
больше 3 лет назад

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

debian логотип

CVE-2021-44906

CVSS3: 9.8
debian
больше 3 лет назад

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.j ...

github логотип

GHSA-xvch-5gv4-984h

CVSS3: 9.8
github
больше 3 лет назад

Prototype Pollution in minimist

redos логотип

ROS-20240507-05

CVSS3: 9.8
redos
около 1 года назад

Уязвимость nodejs-minimist

EPSS

Процентиль: 77%
0.01134
Низкий

3.1 Low

CVSS3