{ "threat_severity" : "Important", "public_date" : "2021-08-30T00:00:00Z", "bugzilla" : { "description" : "nodejs-immer: prototype pollution may lead to DoS or remote code execution", "id" : "2000734", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2000734" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-915", "details" : [ "immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "A flaw was found in immer when manipulates object attributes such as _proto_, constructor and prototype. An attacker can manipulate these values by overwriting and polluting them. Those attributes would be inherited by JavaScript objects which could trigger exception handlers and leading into a denial of service attack." ], "statement" : "In OpenShift Container Platform (OCP) and OpenShift Migration Toolkit for Containers (MTC), the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-immer library to authenticated users only, therefore the impact is Low.", "affected_release" : [ { "product_name" : "Red Hat Migration Toolkit for Containers 1.5", "release_date" : "2021-11-29T00:00:00Z", "advisory" : "RHSA-2021:4848", "cpe" : "cpe:/a:redhat:rhmt:1.5::el8", "package" : "rhmtc/openshift-migration-ui-rhel8:v1.5.2-6", "impact" : "low" } ], "package_state" : [ { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Out of support scope", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:1", "impact" : "moderate" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Out of support scope", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:1", "impact" : "moderate" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/console-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/kui-web-terminal-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/search-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-prometheus-rhel9", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-thanos-rhel8", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3757\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3757\nhttps://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa" ], "name" : "CVE-2021-3757", "csaw" : false }