{ "threat_severity" : "Moderate", "public_date" : "2022-11-26T00:00:00Z", "bugzilla" : { "description" : "express: \"qs\" prototype poisoning causes the hang of the node process", "id" : "2150323", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2150323" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-1321", "details" : [ "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", "A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service." ], "statement" : "- The qs and express Package is not used by the OpenShift Container Platform console directly and is only a third-party package dependency. Hence, it is marked as wontfix. \nAs a result, any services that depend on Openshift for their use of qs and express are marked won't fix. \n- In OpenShift Service Mesh, 'qs' is hoisted from storybook and node-sass, both are dev dependencies, and the vulnerability is not exposed to end users. Hence marked as wontfix.", "affected_release" : [ { "product_name" : "MTA-6.0-RHEL-8", "release_date" : "2023-02-28T00:00:00Z", "advisory" : "RHSA-2023:0934", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.0::el8", "package" : "mta/mta-ui-rhel8:6.0.1-10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-01-09T00:00:00Z", "advisory" : "RHSA-2023:0050", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:14-8070020221212161539.bd1311ed" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date" : "2023-03-30T00:00:00Z", "advisory" : "RHSA-2023:1533", "cpe" : "cpe:/a:redhat:rhel_eus:8.4", "package" : "nodejs:14-8040020230306170312.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2023-04-12T00:00:00Z", "advisory" : "RHSA-2023:1742", "cpe" : "cpe:/a:redhat:rhel_eus:8.6", "package" : "nodejs:14-8060020230306170237.ad008a3a" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.7", "release_date" : "2023-03-23T00:00:00Z", "advisory" : "RHSA-2023:1428", "cpe" : "cpe:/a:redhat:rhmt:1.7::el8", "package" : "rhmtc/openshift-migration-ui-rhel8:v1.7.8-5" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.2 for RHEL 8", "release_date" : "2023-06-15T00:00:00Z", "advisory" : "RHSA-2023:3645", "cpe" : "cpe:/a:redhat:service_mesh:2.2::el8", "package" : "openshift-service-mesh/prometheus-rhel8:2.2.7-7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2023-02-06T00:00:00Z", "advisory" : "RHSA-2023:0612", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs14-nodejs-0:14.21.1-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2023-02-06T00:00:00Z", "advisory" : "RHSA-2023:0612", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs14-nodejs-nodemon-0:2.0.20-2.el7" }, { "product_name" : "RHODF-4.12-RHEL-8", "release_date" : "2023-05-23T00:00:00Z", "advisory" : "RHSA-2023:3265", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.12::el8", "package" : "odf4/mcg-core-rhel8:v4.12.3-4" }, { "product_name" : "RHOL-5.5-RHEL-8", "release_date" : "2023-03-08T00:00:00Z", "advisory" : "RHSA-2023:0930", "cpe" : "cpe:/a:redhat:logging:5.5::el8", "package" : "openshift-logging/logging-view-plugin-rhel8:v5.5.8-3" }, { "product_name" : "RHOL-5.6-RHEL-8", "release_date" : "2023-03-08T00:00:00Z", "advisory" : "RHSA-2023:0932", "cpe" : "cpe:/a:redhat:logging:5.6::el8", "package" : "openshift-logging/logging-view-plugin-rhel8:v5.6.3-5" } ], "package_state" : [ { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Fix deferred", "package_name" : "migration-toolkit-virtualization/mtv-ui-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux", "fix_state" : "Out of support scope", "package_name" : "rh-dotnet31-dotnet", "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "odo", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Will not fix", "package_name" : "openshift-service-mesh/kiali-rhel8", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 2.1", "fix_state" : "Will not fix", "package_name" : "openshift-service-mesh/kiali-rhel8", "cpe" : "cpe:/a:redhat:service_mesh:2.1" }, { "product_name" : "OpenShift Service Mesh 2.1", "fix_state" : "Will not fix", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.1" }, { "product_name" : "OpenShift Service Mesh 2.1", "fix_state" : "Will not fix", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:2.1" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/application-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/console-api-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/console-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/grc-ui-api-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/grc-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/search-api-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/search-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Affected", "package_name" : "advanced-cluster-security/rhacs-docs-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-main-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-rhel8-operator", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Affected", "package_name" : "qs", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "aap-azure-ui", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "qs", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Will not fix", "package_name" : "cockpit-ceph-installer", "cpe" : "cpe:/a:redhat:ceph_storage:4" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "qs", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Directory Server 11", "fix_state" : "Will not fix", "package_name" : "redhat-ds:11/389-ds-base", "cpe" : "cpe:/a:redhat:directory_server:11" }, { "product_name" : "Red Hat Discovery 1", "fix_state" : "Affected", "package_name" : "discovery-server-container", "cpe" : "cpe:/a:redhat:discovery:1" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "nodejs:16/nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "nodejs:18/nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "nodejs:18/nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "nodejs-qs", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Affected", "package_name" : "qs", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "nodejs-qs", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "nodejs", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/ose-console", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Out of support scope", "package_name" : "ocs4/mcg-core-rhel8", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "nodejs", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "noobaa-core-container", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Will not fix", "package_name" : "odf4/odf-console-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Will not fix", "package_name" : "odf4/odf-multicluster-console-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/code-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Will not fix", "package_name" : "devspaces-theia-endpoint-rhel8-container", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Will not fix", "package_name" : "devspaces-theia-rhel8-container", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-console-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "qs", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Will not fix", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Will not fix", "package_name" : "satellite:el8/rubygem-rabl", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Will not fix", "package_name" : "tfm-rubygem-rabl", "cpe" : "cpe:/a:redhat:satellite:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-24999\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24999\nhttps://github.com/expressjs/express/releases/tag/4.17.3\nhttps://github.com/ljharb/qs/pull/428\nhttps://github.com/n8tz/CVE-2022-24999" ], "name" : "CVE-2022-24999", "csaw" : false }