CVE-2021-23807
Public on
Last Modified:
Description
A Type Confusion vulnerability was found in node-jsonpointer. This issue leads to the bypass of a previous Prototype Pollution fix when the pointer components are arrays. This flaw allows an attacker to use objects of incompatible base types, leading to remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Statement
In Red Hat Quay, JSON pointer is a development dependency, therefore the impact of this flaw is rated Low. A fix may be delivered in future Quay updates.
Hadoop-container is affected, but it's deprecated since OpenShift Container Platform 4.6, hence marked as WONTFIX.
Additional information
- Bugzilla 2020365: nodejs-jsonpointer: type confusion vulnerability can lead to a bypass of a previous prototype pollution fix when the pointer components are arrays
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
- FAQ: Frequently asked questions about CVE-2021-23807
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
The following CVSS metrics and score provided are preliminary and subject to review.
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 7.3 | 9.8 |
Attack Vector | Network | Network |
Attack Complexity | Low | Low |
Privileges Required | None | None |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | Low | High |
Integrity Impact | Low | High |
Availability Impact | Low | High |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
NVD: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat CVSS v3 Score Explanation
The Confidentiality, Integrity and Availability metrics should be reduced to Low value, because:
- Successful exploitation may lead to some loss of confidentiality, but it's not under attacker control what information will be obtained.
- Like above, potentially an attacker may be able to modify some data, but does not have control over the consequences of that modification.
- An attacker is not able to determine if successful exploitation will affect the availability of the target environment. There may appear some performance reduction due to additional errors handling (more resources consumption) but overall there is no direct impact to the availability of the target environment. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users.
Understanding the Weakness (CWE)
Integrity
Technical Impact: Modify Application Data
An attacker could modify sensitive data or program variables.
Integrity
Technical Impact: Execute Unauthorized Code or Commands
Other,Integrity
Technical Impact: Varies by Context; Alter Execution Logic
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
