{ "threat_severity" : "Important", "public_date" : "2022-10-14T00:00:00Z", "bugzilla" : { "description" : "loader-utils: prototype pollution in function parseQuery in parseQuery.js", "id" : "2134876", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2134876" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-1321", "details" : [ "Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.", "A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution." ], "statement" : "Packages shipped in Red Hat Enterprise Linux use 'loader-utils' as a transitive dependency. Thus, reducing the impact to Moderate.\nIn Red Hat containerized products like OCP and ODF, the vulnerable loader-utils NodeJS module is bundled as a transitive dependency, hence the direct impact is reduced to Moderate.", "affected_release" : [ { "product_name" : "MTA-6.0-RHEL-8", "release_date" : "2023-02-28T00:00:00Z", "advisory" : "RHSA-2023:0934", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.0::el8", "package" : "mta/mta-ui-rhel8:6.0.1-10", "impact" : "moderate" }, { "product_name" : "RHOL-5.6-RHEL-8", "release_date" : "2023-01-19T00:00:00Z", "advisory" : "RHSA-2023:0264", "cpe" : "cpe:/a:redhat:logging:5.6::el8", "package" : "openshift-logging/logging-view-plugin-rhel8:v5.6.0-28", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5", "impact" : "moderate" }, { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Fix deferred", "package_name" : "migration-toolkit-virtualization/mtv-ui-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2", "impact" : "moderate" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Will not fix", "package_name" : "odo", "cpe" : "cpe:/a:redhat:ocp_tools", "impact" : "moderate" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Affected", "package_name" : "openshift-service-mesh/kiali-rhel8", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 2.1", "fix_state" : "Out of support scope", "package_name" : "openshift-service-mesh/kiali-rhel8", "cpe" : "cpe:/a:redhat:service_mesh:2.1", "impact" : "moderate" }, { "product_name" : "OpenShift Service Mesh 2.1", "fix_state" : "Out of support scope", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.1", "impact" : "moderate" }, { "product_name" : "OpenShift Service Mesh 2.1", "fix_state" : "Out of support scope", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:2.1", "impact" : "moderate" }, { "product_name" : "Red Hat A-MQ Online", "fix_state" : "Not affected", "package_name" : "loader-utils", "cpe" : "cpe:/a:redhat:amq_online:1", "impact" : "moderate" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "loader-utils", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "loader-utils", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "loader-utils", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Discovery 1", "fix_state" : "Affected", "package_name" : "discovery-server-container", "cpe" : "cpe:/a:redhat:discovery:1" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "389-ds:1.4/389-ds-base", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "container-tools:rhel8/cockpit-podman", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "mozjs60", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "gjs", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "polkit", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "moderate" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "loader-utils", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "loader-utils", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/ose-console", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Will not fix", "package_name" : "odf4/odf-console-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4", "impact" : "moderate" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Will not fix", "package_name" : "odf4/odf-multicluster-console-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Will not fix", "package_name" : "devspaces-theia-rhel8-container", "cpe" : "cpe:/a:redhat:openshift_devspaces:3", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-agent-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Affected", "package_name" : "rhosdt/jaeger-all-in-one-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-collector-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-es-index-cleaner-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-es-rollover-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-ingester-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Will not fix", "package_name" : "rhosdt/jaeger-query-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-console-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:4", "impact" : "moderate" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "loader-utils", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Will not fix", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3", "impact" : "moderate" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "tfm-rubygem-rabl", "cpe" : "cpe:/a:redhat:satellite:6", "impact" : "moderate" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "loader-utils", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-37601\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-37601\nhttps://github.com/webpack/loader-utils/issues/212" ], "name" : "CVE-2022-37601", "csaw" : false }