CVE-2020-7598: Input Validation

Q: What is CVE-2020-7598?

CVE-2020-7598 is a vulnerability in minimist before version 1.2.2 that can be tricked into adding or modifying properties of Object.prototype.

Q: What is the impact of CVE-2020-7598?

The highest threat from CVE-2020-7598 is to confidentiality, integrity, as well as system availability.

Q: How can I fix CVE-2020-7598?

To fix CVE-2020-7598, update to minimist version 1.2.3.

Q: Where can I find more information about CVE-2020-7598?

You can find more information about CVE-2020-7598 at the following references: [Reference 1](https://snyk.io/vuln/SNYK-JS-MINIMIST-559764), [Reference 2](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1813346).

Q: What is the severity of CVE-2020-7598?

The severity of CVE-2020-7598 is medium with a CVSS score of 5.6.

Published Mar 10, 2020

Updated

A flaw was found in nodejs-minimist, where it was tricked into adding or modifying properties of the Object.prototype using a "constructor" or "proto" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Other sources

Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --proto.y=Polluted adds a y property with value Polluted to all objects. The argument --proto=Polluted raises and uncaught error and crashes the application. This is exploitable if attackers have control over the arguments being passed to minimist.

Recommendation

Upgrade to versions 0.2.1, 1.2.3 or later.

— GitHub

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

minimist could provide weaker than expected security, caused by a prototype pollution flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.

— IBM

Affected Software

13 affected componentsFixes available

redhat/jaeger<0:v1.13.1.redhat7-1.el7

0:v1.13.1.redhat7-1.el7

redhat/kiali<0:v1.0.11.redhat1-1.el7

0:v1.0.11.redhat1-1.el7

redhat/servicemesh-grafana<0:6.2.2-36.el8

0:6.2.2-36.el8

redhat/atomic-openshift-web-console<0:3.11.248-1.git.1.cc96c2d.el7

0:3.11.248-1.git.1.cc96c2d.el7

redhat/rh-nodejs12-nodejs<0:12.18.2-1.el7

0:12.18.2-1.el7

redhat/rh-nodejs10-nodejs<0:10.21.0-3.el7

0:10.21.0-3.el7

redhat/ovirt-engine-ui-extensions<0:1.2.2-1.el8e

0:1.2.2-1.el8e

redhat/minimist<1.2.3

1.2.3

npm/minimist>=1.0.0<1.2.3

1.2.3

npm/minimist<0.2.1

0.2.1

IBM Engineering Requirements Quality Assistant On-Premises<=All

substack Minimist Node.js<1.2.2

openSUSE Leap=15.1

Remediation

Patch Available

https://snyk.io/vuln/SNYK-JS-MINIMIST-559764

Event History

Mar 10, 2020

CVE Published

12:00 AM

Mar 11, 2020

CVE Published

via MITRE·09:40 PM

Data Sourced

via MITRE·09:40 PM

DescriptionWeakness

Mar 13, 2020

Data Sourced

via Red Hat·02:57 PM

DescriptionSeverityAffected Software

Apr 3, 2020

Advisory Published

via GitHub·09:48 PM

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is CVE-2020-7598?

CVE-2020-7598 is a vulnerability in minimist before version 1.2.2 that can be tricked into adding or modifying properties of Object.prototype.

What is the impact of CVE-2020-7598?