CVE-2021-42581 - OpenCVE

Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ramdajs	Ramda
Redhat	Ceph Storage

Configuration 1 [-]

cpe:2.3:a:ramdajs:ramda:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Ceph Storage 6.1
rhceph/rhceph-6-dashboard-rhel9:6-75	cpe:/a:redhat:ceph_storage:6.1::el9	RHSA-2023:3642	2023-06-15T00:00:00Z

References

Link	Providers
https://github.com/ramda/ramda/pull/3192
https://jsfiddle.net/3pomzw5g/2/
https://nvd.nist.gov/vuln/detail/CVE-2021-42581
https://www.cve.org/CVERecord?id=CVE-2021-42581

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-05-10T10:08:13

Updated: 2024-08-04T03:38:49.341Z

Reserved: 2021-10-18T00:00:00

Link: CVE-2021-42581

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-05-10T11:15:07.970

Modified: 2024-08-04T04:16:04.750

Link: CVE-2021-42581

Redhat

Severity : Moderate

Publid Date: 2022-05-10T00:00:00Z

Links: CVE-2021-42581 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property \"__proto__\") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-06-01T02:55:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ramda/ramda/pull/3192"}, {"tags": ["x_refsource_MISC"], "url": "https://jsfiddle.net/3pomzw5g/2/"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-42581", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property \"__proto__\") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ramda/ramda/pull/3192", "refsource": "MISC", "url": "https://github.com/ramda/ramda/pull/3192"}, {"name": "https://jsfiddle.net/3pomzw5g/2/", "refsource": "MISC", "url": "https://jsfiddle.net/3pomzw5g/2/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:38:49.341Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ramda/ramda/pull/3192"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jsfiddle.net/3pomzw5g/2/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-42581", "datePublished": "2022-05-10T10:08:13", "dateReserved": "2021-10-18T00:00:00", "dateUpdated": "2024-08-04T03:38:49.341Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ramdajs:ramda:*:*:*:*:*:*:*:*", "matchCriteriaId": "35C690CD-6238-49F8-9218-41F245BFAE97", "versionEndIncluding": "0.27.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property \"__proto__\") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes"}, {"lang": "es", "value": "** EN DISPUTA ** Un envenenamiento de prototipos en la funci\u00f3n mapObjIndexed en Ramda versiones 0.27.0 y anteriores, permite a atacantes comprometer la integridad o la disponibilidad de la aplicaci\u00f3n por medio del suministro de un objeto dise\u00f1ado (que contiene una propiedad propia \"__proto__\") como argumento de la funci\u00f3n. NOTA: el proveedor discute esto porque el comportamiento observado s\u00f3lo significa que un usuario puede crear objetos que el usuario no sab\u00eda que contendr\u00edan prototipos personalizados"}], "id": "CVE-2021-42581", "lastModified": "2024-08-04T04:16:04.750", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-10T11:15:07.970", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/ramda/ramda/pull/3192"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://jsfiddle.net/3pomzw5g/2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3642", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el9", "package": "rhceph/rhceph-6-dashboard-rhel9:6-75", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2023-06-15T00:00:00Z"}], "bugzilla": {"description": "ramda: prototype poisoning", "id": "2083778", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2083778"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-1321", "details": ["Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property \"__proto__\") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes", "A flaw was found in the Ramda NPM package that involves prototype poisoning. This flaw allows attackers to supply a crafted object, affecting the integrity or availability of the application."], "name": "CVE-2021-42581", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "migration-toolkit-virtualization/mtv-ui-rhel8", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Will not fix", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "moderate", "package_name": "rhacm2/application-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "moderate", "package_name": "rhacm2/grc-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/kui-web-terminal-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:amq_online:1", "fix_state": "Will not fix", "impact": "moderate", "package_name": "ramda", "product_name": "Red Hat A-MQ Online"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "impact": "low", "package_name": "ramda", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/odf-console-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "impact": "low", "package_name": "ramda", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-05-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-42581\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-42581\nhttps://github.com/ramda/ramda/pull/3192"], "statement": "In Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are the application-ui container up to and including RHACM 2.4.4, 2.3.10 and 2.2.13 and grc-ui container up to and including RHACM 2.2.13 versions. However not any RHACM is affected in the kui-web-terminal container as is using already patched and not affected version, therefore we are not impacted in this particular component. In RHACM these components are behind OpenShift OAuth. This restricts access to the vulnerable ramda library to authenticated users only, therefore the impact is reduced to Moderate.", "threat_severity": "Moderate", "upstream_fix": "ramda 0.27.1"}