{ "threat_severity" : "Important", "public_date" : "2020-04-01T00:00:00Z", "bugzilla" : { "description" : "npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js", "id" : "1844228", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1844228" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function \"deleteFunctions\" within \"index.js\".", "A flaw was found in the serialize-javascript before version 3.1.0. This flaw allows remote attackers to inject arbitrary code via the function \"deleteFunctions\" within \"index.js.\"" ], "statement" : "Red Hat Quay includes serialize-javascript as a dependency of webpack which is only used at build time. The vulnerable library is not used at runtime meaning this has a low impact on Red Hat Quay.\nThe currently supported versions of Container Native Virtualization 2 are not affected by this flaw. However, version 2.0, which is no longer supported, is affected.\nIn OpenShift distributed tracing there is bundled vulnerable version of the serialize-javascript Nodejs package, however access to the vulnerable function is restricted and protected by OpenShift OAuth, hence the impact by this vulnerability is reduced to Low.\nIn Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the serialize-javascript package. \nThe vulnerable code is not used hence the impact to OpenShift Logging by this vulnerability is Low.", "affected_release" : [ { "product_name" : "OpenShift Service Mesh 1.0", "release_date" : "2020-07-07T00:00:00Z", "advisory" : "RHSA-2020:2861", "cpe" : "cpe:/a:redhat:service_mesh:1.0::el8", "package" : "servicemesh-grafana-0:6.2.2-38.el8", "impact" : "moderate" }, { "product_name" : "OpenShift Service Mesh 1.1", "release_date" : "2020-07-01T00:00:00Z", "advisory" : "RHSA-2020:2796", "cpe" : "cpe:/a:redhat:service_mesh:1.1::el8", "package" : "servicemesh-grafana-0:6.4.3-11.el8", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-prometheus", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Fix deferred", "package_name" : "rhosdt/jaeger-all-in-one-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Will not fix", "package_name" : "kubevirt-web-ui-container", "cpe" : "cpe:/a:redhat:container_native_virtualization:1", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubevirt-web-ui-container", "cpe" : "cpe:/a:redhat:container_native_virtualization:2", "impact" : "moderate" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Fix deferred", "package_name" : "nodejs-serialize-javascript", "cpe" : "cpe:/a:redhat:quay:3", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-7660\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7660" ], "name" : "CVE-2020-7660", "csaw" : false }