CVE-2021-21297 - OpenCVE

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nodered	Node-red

Configuration 1 [-]

cpe:2.3:a:nodered:node-red:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/node-red/node-red/releases/tag/1.2.8
https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67
https://www.npmjs.com/package/%40node-red/editor-api
https://www.npmjs.com/package/%40node-red/runtime

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-02-26T16:20:17

Updated: 2024-08-03T18:09:15.688Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21297

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-26T17:15:12.210

Modified: 2023-11-07T03:29:45.950

Link: CVE-2021-21297

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "node-red", "vendor": "node-red", "versions": [{"status": "affected", "version": "< 1.2.8"}]}], "descriptions": [{"lang": "en", "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-26T16:20:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40node-red/runtime"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40node-red/editor-api"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"}], "source": {"advisory": "GHSA-xp9c-82x8-7f67", "discovery": "UNKNOWN"}, "title": "Prototype Pollution in Node-Red", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21297", "STATE": "PUBLIC", "TITLE": "Prototype Pollution in Node-Red"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "node-red", "version": {"version_data": [{"version_value": "< 1.2.8"}]}}]}, "vendor_name": "node-red"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}, {"description": [{"lang": "eng", "value": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}]}, "references": {"reference_data": [{"name": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67", "refsource": "CONFIRM", "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"}, {"name": "https://www.npmjs.com/package/@node-red/runtime", "refsource": "MISC", "url": "https://www.npmjs.com/package/@node-red/runtime"}, {"name": "https://www.npmjs.com/package/@node-red/editor-api", "refsource": "MISC", "url": "https://www.npmjs.com/package/@node-red/editor-api"}, {"name": "https://github.com/node-red/node-red/releases/tag/1.2.8", "refsource": "MISC", "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"}]}, "source": {"advisory": "GHSA-xp9c-82x8-7f67", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.688Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40node-red/runtime"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40node-red/editor-api"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21297", "datePublished": "2021-02-26T16:20:17", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.688Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodered:node-red:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FD380E45-4954-4427-90D5-66896B983B30", "versionEndExcluding": "1.2.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."}, {"lang": "es", "value": "Node-Red es una programaci\u00f3n de low-code para aplicaciones basadas en eventos dise\u00f1adas usando nodejs. Node-RED versiones 1.2.7 y anteriores contienen, una vulnerabilidad de Contaminaci\u00f3n de Prototipos en la API de administraci\u00f3n. Una petici\u00f3n mal formada puede modificar el prototipo del Objeto JavaScript predeterminado con el potencial de afectar el comportamiento predeterminado del tiempo de ejecuci\u00f3n de Node-RED. La vulnerabilidad est\u00e1 parcheada en versi\u00f3n 1.2.8. Una soluci\u00f3n alternativa es asegurarse de que solo los usuarios autorizados puedan ser capaces de acceder a la URL de editor"}], "id": "CVE-2021-21297", "lastModified": "2023-11-07T03:29:45.950", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-02-26T17:15:12.210", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40node-red/editor-api"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40node-red/runtime"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1321"}, {"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Secondary"}]}