Описание
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
A flaw was found in the nconf library when setting the configuration properties. This flaw allows an attacker to provide a crafted property, leading to prototype object pollution.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-api-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-grafana-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-must-gather-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-operator-bundle-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | application-ui-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | assisted-image-service-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cert-policy-controller-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cluster-backup-operator-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | clusterclaims-controller-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cluster-curator-controller-container | Fixed | RHSA-2022:1681 | 03.05.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
EPSS
7.3 High
CVSS3