{
  "threat_severity" : "Low",
  "public_date" : "2018-04-18T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties",
    "id" : "1578246",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1578246"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.2",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-02-16T00:00:00Z",
    "advisory" : "RHSA-2021:0549",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:12-8030020210129141730.229f0a1c"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2020-06-19T00:00:00Z",
    "advisory" : "RHSA-2020:2625",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs8-nodejs-0:8.17.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.20.1-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2020-06-19T00:00:00Z",
    "advisory" : "RHSA-2020:2625",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs8-nodejs-0:8.17.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.20.1-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2020-06-19T00:00:00Z",
    "advisory" : "RHSA-2020:2625",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs8-nodejs-0:8.17.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.20.1-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0485",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:10/nodejs-nodemon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-deep-extend",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-deep-extend",
    "cpe" : "cpe:/a:redhat:openshift:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Fix deferred",
    "package_name" : "rh-nodejs10-nodejs-nodemon",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-nodejs4-nodejs-deep-extend",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-nodejs6-nodejs-deep-extend",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-3750\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-3750\nhttps://hackerone.com/reports/311333\nhttps://nodesecurity.io/advisories/612" ],
  "name" : "CVE-2018-3750",
  "csaw" : false
}