{"containers": {"cna": {"affected": [{"product": "dot-prop", "vendor": "n/a", "versions": [{"status": "affected", "version": "before 4.2.1"}, {"status": "affected", "version": "5.x before 5.1.1"}, {"status": "affected", "version": "Fixed in 5.1.1"}]}], "descriptions": [{"lang": "en", "value": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-471", "description": "Modification of Assumed-Immutable Data (MAID) (CWE-471)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-10T14:12:12", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/719856"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sindresorhus/dot-prop/tree/v4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sindresorhus/dot-prop/issues/63"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8116", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "dot-prop", "version": {"version_data": [{"version_value": "before 4.2.1"}, {"version_value": "5.x before 5.1.1"}, {"version_value": "Fixed in 5.1.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Modification of Assumed-Immutable Data (MAID) (CWE-471)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/719856", "refsource": "MISC", "url": "https://hackerone.com/reports/719856"}, {"name": "https://github.com/sindresorhus/dot-prop/tree/v4", "refsource": "MISC", "url": "https://github.com/sindresorhus/dot-prop/tree/v4"}, {"name": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm", "refsource": "MISC", "url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm"}, {"name": "https://github.com/sindresorhus/dot-prop/issues/63", "refsource": "MISC", "url": "https://github.com/sindresorhus/dot-prop/issues/63"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:25.632Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/719856"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sindresorhus/dot-prop/tree/v4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sindresorhus/dot-prop/issues/63"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8116", "datePublished": "2020-02-04T19:08:57", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:48:25.632Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dot-prop_project:dot-prop:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9EFF2C93-F28E-47DE-A654-0B614FB1D5B8", "versionEndExcluding": "4.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dot-prop_project:dot-prop:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F8DD28C3-2237-4DD4-AAB4-455A93029B51", "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects."}, {"lang": "es", "value": "Una vulnerabilidad de contaminaci\u00f3n de prototipo en el paquete dot-prop npm en versiones anteriores a 4.2.1 y versiones 5.x anteriores a 5.1.1, permite a un atacante agregar propiedades arbitrarias en las construcciones del lenguaje JavaScript, tales como objetos"}], "id": "CVE-2020-8116", "lastModified": "2022-08-05T19:32:41.867", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-04T20:15:13.353", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm"}, {"source": "support@hackerone.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/sindresorhus/dot-prop/issues/63"}, {"source": "support@hackerone.com", "tags": ["Broken Link"], "url": "https://github.com/sindresorhus/dot-prop/tree/v4"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/719856"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-471"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4272", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:12-8020020201007080935.4cda2c84", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-10-19T00:00:00Z"}, {"advisory": "RHSA-2021:0548", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:10-8030020210118191659.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2020:4903", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "nodejs:12-8010020201006223055.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-11-12T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-11-12T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2020:5086", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.18.4-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-11-12T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-15T00:00:00Z"}], "bugzilla": {"description": "nodejs-dot-prop: prototype pollution", "id": "1868196", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1868196"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-471", "details": ["Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.", "A prototype pollution flaw was found in nodejs-dot-prop. The function set could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ paths. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2020-8116", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "impact": "low", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:14/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs14-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2020-01-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8116\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8116\nhttps://hackerone.com/reports/719856"], "statement": "In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers are behind OpenShift OAuth restricting access to the vulnerable dot-prop library to authenticated users only, therefore the impact is Low.\nRed Hat Openshift Container Storage 4 is not affected by this vulnerability, as it already includes patched version of dot-prop(v5.2.0) in noobaa-core container.", "threat_severity": "Moderate", "upstream_fix": "nodejs-dot-prop 5.1.1, nodejs-dot-prop 4.2.1"}