{
  "threat_severity" : "Moderate",
  "public_date" : "2021-09-13T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-object-path: prototype pollution vulnerability",
    "id" : "2006397",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2006397"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-915",
  "details" : [ "object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "A flaw was found in the object-path nodejs library when the del() function is called to validate object properties. An attacker can manipulate or alter the prototype of an object causing the modification of default properties on all objects. This could lead into a service disruption or a denial of service attack (DoS)." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8",
    "release_date" : "2021-10-20T00:00:00Z",
    "advisory" : "RHSA-2021:3925",
    "cpe" : "cpe:/a:redhat:acm:2.3::el8",
    "package" : "rhacm2/grc-ui-api-rhel8:v2.3.3-5",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8",
    "release_date" : "2021-10-20T00:00:00Z",
    "advisory" : "RHSA-2021:3925",
    "cpe" : "cpe:/a:redhat:acm:2.3::el8",
    "package" : "rhacm2/search-api-rhel8:v2.3.3-5",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8",
    "release_date" : "2021-10-20T00:00:00Z",
    "advisory" : "RHSA-2021:3925",
    "cpe" : "cpe:/a:redhat:acm:2.3::el8",
    "package" : "rhacm2/search-ui-rhel8:v2.3.3-7",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 1",
    "fix_state" : "Out of support scope",
    "package_name" : "servicemesh-prometheus",
    "cpe" : "cpe:/a:redhat:service_mesh:1"
  }, {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Affected",
    "package_name" : "servicemesh-prometheus",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/application-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Fix deferred",
    "package_name" : "rhacm2/console-api-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Fix deferred",
    "package_name" : "rhacm2/grc-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Fix deferred",
    "package_name" : "rhacm2/mcm-topology-api-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3805\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3805" ],
  "name" : "CVE-2021-3805",
  "csaw" : false
}