{
  "threat_severity" : "Moderate",
  "public_date" : "2020-01-28T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-dot-prop: prototype pollution",
    "id" : "1868196",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1868196"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-471",
  "details" : [ "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.", "A prototype pollution flaw was found in nodejs-dot-prop. The function set could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ paths. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "statement" : "In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers are behind OpenShift OAuth restricting access to the vulnerable dot-prop library to authenticated users only, therefore the impact is Low.\nRed Hat Openshift Container Storage 4 is not affected by this vulnerability, as it already includes patched version of dot-prop(v5.2.0) in noobaa-core container.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-10-19T00:00:00Z",
    "advisory" : "RHSA-2020:4272",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:12-8020020201007080935.4cda2c84"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-02-16T00:00:00Z",
    "advisory" : "RHSA-2021:0548",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:10-8030020210118191659.229f0a1c"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4903",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.1",
    "package" : "nodejs:12-8010020201006223055.c27ad7f8"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2020-11-12T00:00:00Z",
    "advisory" : "RHSA-2020:5086",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.18.4-3.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-02-15T00:00:00Z",
    "advisory" : "RHSA-2021:0521",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs10-nodejs-0:10.23.1-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2020-11-12T00:00:00Z",
    "advisory" : "RHSA-2020:5086",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.18.4-3.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2021-02-15T00:00:00Z",
    "advisory" : "RHSA-2021:0521",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs10-nodejs-0:10.23.1-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2020-11-12T00:00:00Z",
    "advisory" : "RHSA-2020:5086",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.18.4-3.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-02-15T00:00:00Z",
    "advisory" : "RHSA-2021:0521",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs10-nodejs-0:10.23.1-2.el7"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 1",
    "fix_state" : "Fix deferred",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:1",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:14/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-prometheus",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Not affected",
    "package_name" : "ocs4/mcg-core-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs14-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8116\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8116\nhttps://hackerone.com/reports/719856" ],
  "name" : "CVE-2020-8116",
  "csaw" : false
}