Описание
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. Note: This vulnerability derives from an incomplete fix of another vulnerability
A flaw was found in convict. This flaw allows an attacker to inject attributes used in other components and override existing attributes with ones that have an incompatible type, leading to a crash.
Отчет
The convict package is a transitive dependency and is not used directly in the Red Hat Advanced Cluster Security product. Hence, it is categorized as a Moderate impact.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-docs-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-main-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-rhel8-operator | Not affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-roxctl-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
9.8 Critical
CVSS3
Связанные уязвимости
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)
9.8 Critical
CVSS3