CVE-2019-10747: Critical severity ibm cloud pak for security vulnerability

Q: What is CVE-2019-10747?

CVE-2019-10747 is a vulnerability in the Node.js set-value module that allows for prototype pollution.

Q: What is the severity of CVE-2019-10747?

CVE-2019-10747 has a severity rating of 9.8 (Critical).

Q: How can CVE-2019-10747 be exploited?

CVE-2019-10747 can be exploited by sending a specially-crafted request using a constructor payload.

Q: What is the affected software for CVE-2019-10747?

The affected software for CVE-2019-10747 includes Node.js set-value module versions lower than 3.0.1, IBM Cloud Pak for Security (CP4S) versions up to 1.6.0.1, and others.

Q: How can the vulnerability in CVE-2019-10747 be fixed?

The vulnerability in CVE-2019-10747 can be fixed by updating to version 3.0.1 of the Node.js set-value module or applying the appropriate remedy provided by the vendor.

Published Jun 20, 2019

Updated

A flaw was found in nodejs-set-value. The function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or proto payloads. The highest threat from this vulnerability is to data confidentiality and integrity.

Other sources

A vulnerability was found in NOdejs set-value, where set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Reference: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E

— Red Hat

Node.js set-value module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition.

— IBM

Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Recommendation

If you are using set-value 3.x, upgrade to version 3.0.1 or later. If you are using set-value 2.x, upgrade to version 2.0.1 or later.

Affected Software

13 affected componentsFixes available

redhat/rh-nodejs12-nodejs<0:12.20.1-1.el7

0:12.20.1-1.el7

redhat/rh-nodejs12-nodejs-nodemon<0:2.0.3-1.el7

0:2.0.3-1.el7

npm/set-value=3.0.0

3.0.1

npm/set-value<2.0.1

2.0.1

redhat/nodejs-set-value<3.0.1

3.0.1

redhat/nodejs-set-value<2.0.1

2.0.1

IBM Cloud Pak for Security (CP4S)<=1.6.0.1

IBM Cloud Pak for Security (CP4S)<=1.6.0.0

IBM Cloud Pak for Security (CP4S)<=1.5.0.1

IBM Cloud Pak for Security (CP4S)<=1.5.0.0

IBM Cloud Pak for Security (CP4S)<=1.4.0.0

Set-value Project Set-value Node.js<2.0.1

Set-value Project Set-value Node.js>=3.0.0<3.0.1

Event History

Jun 20, 2019

CVE Published

12:00 AM

Aug 23, 2019

CVE Published

via MITRE·04:46 PM

Data Sourced

via MITRE·04:46 PM

DescriptionWeakness

Aug 27, 2019

Advisory Published

05:43 PM

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is CVE-2019-10747?

CVE-2019-10747 is a vulnerability in the Node.js set-value module that allows for prototype pollution.

What is the severity of CVE-2019-10747?

CVE-2019-10747 has a severity rating of 9.8 (Critical).

How can CVE-2019-10747 be exploited?