Описание
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
A vulnerability related to predictable random number generation has been discovered in the form-data JavaScript library. The library utilizes Math.random() to determine boundary values for multipart form-encoded data.
This presents a security risk if an attacker can observe other values generated by Math.random() within the target application and simultaneously control at least one field of a request made using form-data. Under these conditions, the attacker could potentially predict or determine the boundary values. This predictability could be leveraged to bypass security controls, manipulate form data, or potentially lead to data integrity issues or other forms of exploitation.
Отчет
This flaw does not affect host systems. The impact of this vulnerability is limited to specific applications which integrate the form-data library. As a result the impact of this CVE is limited on RedHat systems.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | cryostat/cryostat-openshift-console-plugin-rhel9 | Affected | ||
| Cryostat 4 | io.cryostat-cryostat | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Affected | ||
| Migration Toolkit for Applications 7 | mta/mta-ui-rhel9 | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-ui-rhel8 | Affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Affected | ||
| Migration Toolkit for Virtualization | mtv-candidate/mtv-console-plugin-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Affected | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-compat-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.4 Medium
CVSS3
Связанные уязвимости
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Use of Insufficiently Random Values vulnerability in form-data allows ...
form-data uses unsafe random function in form-data for choosing boundary
EPSS
5.4 Medium
CVSS3