{ "threat_severity" : "Moderate", "public_date" : "2020-10-25T00:00:00Z", "bugzilla" : { "description" : "nodejs-y18n: prototype pollution vulnerability", "id" : "1898680", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1898680" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-915", "details" : [ "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", "A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality." ], "statement" : "In OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and OpenShift distributed tracing the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-y18n library to authenticated users only, therefore the impact is Low.\nIn Red Hat OpenShift Container Storage 4 the noobaa-core container includes the affected version of y18n as a dependency of yargs. However, no unsafe usage found where the module accepts untrusted input and hence this issue has been rated as having a security impact of Low.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-12-15T00:00:00Z", "advisory" : "RHSA-2020:5499", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:12-8030020201124152102.229f0a1c", "impact" : "low" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-02-16T00:00:00Z", "advisory" : "RHSA-2021:0548", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:10-8030020210118191659.229f0a1c", "impact" : "low" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-02-16T00:00:00Z", "advisory" : "RHSA-2021:0551", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:14-8030020210126165503.229f0a1c", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4.7", "release_date" : "2021-02-24T00:00:00Z", "advisory" : "RHSA-2020:5633", "cpe" : "cpe:/a:redhat:openshift:4.7::el8", "package" : "openshift4/ose-grafana:v4.7.0-202102130115.p0", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-07-27T00:00:00Z", "advisory" : "RHSA-2021:2438", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-thanos-rhel8:v4.8.0-202106291913.p0.git.c358e96.assembly.stream", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Storage 4.7.0 on RHEL-8", "release_date" : "2021-05-19T00:00:00Z", "advisory" : "RHSA-2021:2041", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.7::el8", "package" : "ocs4/mcg-core-rhel8:5.7.0-60.2c1fdb0.5.7", "impact" : "low" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2020-12-01T00:00:00Z", "advisory" : "RHSA-2020:5305", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs12-nodejs-0:12.19.1-2.el7", "impact" : "low" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0421", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs14-nodejs-0:14.15.4-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2021-02-15T00:00:00Z", "advisory" : "RHSA-2021:0521", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.23.1-2.el7", "impact" : "low" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2020-12-01T00:00:00Z", "advisory" : "RHSA-2020:5305", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs12-nodejs-0:12.19.1-2.el7", "impact" : "low" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0421", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs14-nodejs-0:14.15.4-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2021-02-15T00:00:00Z", "advisory" : "RHSA-2021:0521", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.23.1-2.el7", "impact" : "low" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2020-12-01T00:00:00Z", "advisory" : "RHSA-2020:5305", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs12-nodejs-0:12.19.1-2.el7", "impact" : "low" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-02-04T00:00:00Z", "advisory" : "RHSA-2021:0421", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs14-nodejs-0:14.15.4-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2021-02-15T00:00:00Z", "advisory" : "RHSA-2021:0521", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.23.1-2.el7", "impact" : "low" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Affected", "package_name" : "kiali", "cpe" : "cpe:/a:redhat:service_mesh:1", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Fix deferred", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:1", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Not affected", "package_name" : "kiali", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "y18n", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Fix deferred", "package_name" : "openshift3/ose-console", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-prometheus", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "noobaa-core-container", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4", "impact" : "low" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/mcg-core-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4", "impact" : "low" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Fix deferred", "package_name" : "odf4/odf-console-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4", "impact" : "low" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Fix deferred", "package_name" : "odf4/odf-multicluster-console-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-all-in-one-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Will not fix", "package_name" : "quay", "cpe" : "cpe:/a:redhat:quay:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-7774\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7774\nhttps://snyk.io/vuln/SNYK-JS-Y18N-1021887" ], "name" : "CVE-2020-7774", "csaw" : false }