CVE-2020-28477 - Vulnerability Details - OpenCVE

This affects all versions of package immer.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00618.

Key SSVC decision points have not yet been added.

Vendors	Products
Immer Project	Immer
Redhat	Rhev Manager

Configuration 1 [-]

cpe:2.3:a:immer_project:immer:*:*:*:*:*:node.js:*:*

Package	CPE	Advisory	Released Date
Red Hat Virtualization Engine 4.4
ovirt-web-ui-0:1.6.7-1.el8ev	cpe:/a:redhat:rhev_manager:4.4:el8	RHSA-2021:1169	2021-04-14T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-0500	This affects all versions of package immer.
Github GHSA	GHSA-9qmh-276g-x5pj	Prototype Pollution in immer

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213
https://nvd.nist.gov/vuln/detail/CVE-2020-28477
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986
https://snyk.io/vuln/SNYK-JS-IMMER-1019369
https://www.cve.org/CVERecord?id=CVE-2020-28477

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2021-01-19T10:20:13.022549Z

Updated: 2024-09-17T04:25:21.993Z

Reserved: 2020-11-12T00:00:00

Link: CVE-2020-28477

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-01-19T11:15:13.167

Modified: 2024-11-21T05:22:52.393

Link: CVE-2020-28477

Redhat

Severity : Moderate

Publid Date: 2021-01-19T00:00:00Z

Links: CVE-2020-28477 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "immer", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Alessio Della Libera (d3lla)"}], "datePublic": "2021-01-19T00:00:00", "descriptions": [{"lang": "en", "value": "This affects all versions of package immer."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "UNAVAILABLE", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 7.1, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Prototype Pollution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-19T10:20:12", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-IMMER-1019369"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213"}], "title": "Prototype Pollution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-01-19T10:16:28.654636Z", "ID": "CVE-2020-28477", "STATE": "PUBLIC", "TITLE": "Prototype Pollution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "immer", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Alessio Della Libera (d3lla)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects all versions of package immer."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Prototype Pollution"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-IMMER-1019369", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-IMMER-1019369"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986"}, {"name": "https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213", "refsource": "MISC", "url": "https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:40:58.850Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-IMMER-1019369"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-28477", "datePublished": "2021-01-19T10:20:13.022549Z", "dateReserved": "2020-11-12T00:00:00", "dateUpdated": "2024-09-17T04:25:21.993Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:immer_project:immer:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "34A4B894-BEB8-47C4-AD4E-9D5C8DD8BD27", "versionEndExcluding": "8.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects all versions of package immer."}, {"lang": "es", "value": "Esto afecta a todas las versiones del paquete immer"}], "id": "CVE-2020-28477", "lastModified": "2024-11-21T05:22:52.393", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-01-19T11:15:13.167", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-IMMER-1019369"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-IMMER-1019369"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:1169", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "impact": "low", "package": "ovirt-web-ui-0:1.6.7-1.el8ev", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2021-04-14T00:00:00Z"}], "bugzilla": {"description": "nodejs-immer: prototype pollution may lead to DoS or remote code execution", "id": "1918162", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1918162"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-915", "details": ["This affects all versions of package immer."], "name": "CVE-2020-28477", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "kiali", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "kiali", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "configmap-watcher", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "endpoint-component-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "management-ingress", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acmesolver-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/grc-ui-api-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/kui-web-terminal-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/mcm-topology-api-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/metrics-collector-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-01-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-28477\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28477\nhttps://snyk.io/vuln/SNYK-JS-IMMER-1019369"], "statement": "Red Hat Virtualization includes affected version of nodejs-immer, however the usage does not meet the conditions required to exploit the flaw, therefore the impact is Low.\nIn OpenShift Container Platform 4.6 (OCP) the openshift4/ose-prometheus container ships the vulnerable version of the nodejs-immer, however the Prometheus react-ui is disabled, hence this flaw cannot be exploited. As openshift4/ose-prometheus container still packages the vulnerable code, this component is affected with impact Low. This may be fixed in a future release.", "threat_severity": "Moderate"}