CVE-2021-44906: Critical severity IBM QRadar Data Synchronization App vulnerability

Q: What is the severity of CVE-2021-44906?

CVE-2021-44906 is classified as a high severity vulnerability as it allows prototype pollution, potentially leading to unexpected behavior or application crashes.

Q: How do I fix CVE-2021-44906?

To mitigate CVE-2021-44906, upgrade to minimist version 1.2.6 or later, or implement proper input validation to prevent prototype pollution.

Q: What versions of minimist are affected by CVE-2021-44906?

CVE-2021-44906 affects all versions of minimist prior to 1.2.6.

Q: What are the consequences of exploiting CVE-2021-44906?

Exploiting CVE-2021-44906 may allow an attacker to manipulate the properties of Object.prototype, leading to security issues and unstable application behavior.

Q: Is there any indication of active exploits for CVE-2021-44906?

As of now, there is no public information indicating active exploits targeting CVE-2021-44906, but users are encouraged to apply patches promptly.

Published Mar 10, 2022

Updated

Affected versions of minimist ( <=1.2.5 ) are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload.

Other sources

An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or proto payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

— GitHub

Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

— IBM

Affected Software

201 affected componentsFixes available

redhat/nodejs<1:16.18.1-3.el9_1

1:16.18.1-3.el9_1

redhat/nodejs-nodemon<0:2.0.20-2.el9_1

0:2.0.20-2.el9_1

redhat/eap7-hal-console<0:3.3.13-1.Final_redhat_00001.1.el8ea

0:3.3.13-1.Final_redhat_00001.1.el8ea

redhat/eap7<0:1-18.el9ea

0:1-18.el9ea

redhat/eap7-activemq-artemis<0:2.16.0-9.redhat_00042.1.el9ea

0:2.16.0-9.redhat_00042.1.el9ea

redhat/eap7-activemq-artemis-native<1:1.0.2-1.redhat_00001.1.el9ea

1:1.0.2-1.redhat_00001.1.el9ea

redhat/eap7-aesh-extensions<0:1.8.0-1.redhat_00001.1.el9ea

0:1.8.0-1.redhat_00001.1.el9ea

redhat/eap7-aesh-readline<0:2.2.0-1.redhat_00001.1.el9ea

0:2.2.0-1.redhat_00001.1.el9ea

redhat/eap7-agroal<0:1.3.0-1.redhat_00001.1.el9ea

0:1.3.0-1.redhat_00001.1.el9ea

redhat/eap7-antlr<0:2.7.7-54.redhat_7.1.el9ea

0:2.7.7-54.redhat_7.1.el9ea

redhat/eap7-apache-commons-beanutils<0:1.9.4-1.redhat_00002.1.el9ea

0:1.9.4-1.redhat_00002.1.el9ea

redhat/eap7-apache-commons-cli<0:1.4.0-1.redhat_00001.1.el9ea

0:1.4.0-1.redhat_00001.1.el9ea

redhat/eap7-apache-commons-codec<0:1.15.0-1.redhat_00001.1.el9ea

0:1.15.0-1.redhat_00001.1.el9ea

redhat/eap7-apache-commons-collections<0:3.2.2-9.redhat_2.1.el9ea

0:3.2.2-9.redhat_2.1.el9ea

redhat/eap7-apache-commons-io<0:2.10.0-1.redhat_00001.1.el9ea

0:2.10.0-1.redhat_00001.1.el9ea

redhat/eap7-apache-commons-lang<0:3.11.0-1.redhat_00001.1.el9ea

0:3.11.0-1.redhat_00001.1.el9ea

redhat/eap7-apache-commons-lang2<0:2.6.0-1.redhat_7.1.el9ea

0:2.6.0-1.redhat_7.1.el9ea

redhat/eap7-apache-cxf<0:3.3.13-1.redhat_00001.1.el9ea

0:3.3.13-1.redhat_00001.1.el9ea

redhat/eap7-apache-cxf-xjc-utils<0:3.3.1-1.1.redhat_00001.1.el9ea

0:3.3.1-1.1.redhat_00001.1.el9ea

redhat/eap7-apache-mime4j<0:0.6.0-4.1.redhat_7.1.el9ea

0:0.6.0-4.1.redhat_7.1.el9ea

redhat/eap7-apache-sshd<0:2.7.0-1.redhat_00001.1.el9ea

0:2.7.0-1.redhat_00001.1.el9ea

redhat/eap7-artemis-native<1:1.0.2-3.redhat_1.el9ea

1:1.0.2-3.redhat_1.el9ea

redhat/eap7-artemis-wildfly-integration<0:1.0.4-1.redhat_00001.1.el9ea

0:1.0.4-1.redhat_00001.1.el9ea

redhat/eap7-atinject<0:1.0.3-1.redhat_00001.1.el9ea

0:1.0.3-1.redhat_00001.1.el9ea

redhat/eap7-avro<0:1.7.6-7.1.redhat_2.1.el9ea

0:1.7.6-7.1.redhat_2.1.el9ea

redhat/eap7-azure-storage<0:8.6.6-1.1.redhat_00001.1.el9ea

0:8.6.6-1.1.redhat_00001.1.el9ea

redhat/eap7-bouncycastle<0:1.68.0-2.redhat_00005.1.el9ea

0:1.68.0-2.redhat_00005.1.el9ea

redhat/eap7-byte-buddy<0:1.11.12-2.redhat_00002.1.el9ea

0:1.11.12-2.redhat_00002.1.el9ea

redhat/eap7-caffeine<0:2.8.8-1.redhat_00001.1.el9ea

0:2.8.8-1.redhat_00001.1.el9ea

redhat/eap7-cal10n<0:0.8.1-6.redhat_1.1.el9ea

0:0.8.1-6.redhat_1.1.el9ea

redhat/eap7-codehaus-jackson<0:1.9.13-10.redhat_00007.1.el9ea

0:1.9.13-10.redhat_00007.1.el9ea

redhat/eap7-commons-logging-jboss-logging<0:1.0.0-1.Final_redhat_1.1.el9ea

0:1.0.0-1.Final_redhat_1.1.el9ea

redhat/eap7-cryptacular<0:1.2.4-1.redhat_00001.1.el9ea

0:1.2.4-1.redhat_00001.1.el9ea

redhat/eap7-dom4j<0:2.1.3-1.redhat_00001.1.el9ea

0:2.1.3-1.redhat_00001.1.el9ea

redhat/eap7-ecj<1:3.26.0-1.redhat_00002.1.el9ea

1:3.26.0-1.redhat_00002.1.el9ea

redhat/eap7-eclipse-jgit<0:5.13.0.202109080827-1.r_redhat_00001.1.el9ea

0:5.13.0.202109080827-1.r_redhat_00001.1.el9ea

redhat/eap7-elytron-web<0:1.9.2-2.Final_redhat_00001.1.el9ea

0:1.9.2-2.Final_redhat_00001.1.el9ea

redhat/eap7-fge-btf<0:1.2.0-1.redhat_00007.1.el9ea

0:1.2.0-1.redhat_00007.1.el9ea

redhat/eap7-fge-msg-simple<0:1.1.0-1.redhat_00007.1.el9ea

0:1.1.0-1.redhat_00007.1.el9ea

redhat/eap7-glassfish-concurrent<0:1.1.1-1.redhat_00001.1.el9ea

0:1.1.1-1.redhat_00001.1.el9ea

redhat/eap7-glassfish-fastinfoset<0:1.2.13-11.1.redhat_1.1.el9ea

0:1.2.13-11.1.redhat_1.1.el9ea

redhat/eap7-glassfish-jaf<0:1.2.2-1.redhat_00001.1.el9ea

0:1.2.2-1.redhat_00001.1.el9ea

redhat/eap7-glassfish-javamail<0:1.6.5-1.redhat_00001.1.el9ea

0:1.6.5-1.redhat_00001.1.el9ea

redhat/eap7-glassfish-jaxb<0:2.3.3-4.1.b02_redhat_00001.1.el9ea

0:2.3.3-4.1.b02_redhat_00001.1.el9ea

redhat/eap7-glassfish-jsf<0:2.3.14-4.SP05_redhat_00001.1.el9ea

0:2.3.14-4.SP05_redhat_00001.1.el9ea

redhat/eap7-glassfish-json<0:1.1.6-2.redhat_00001.1.el9ea

0:1.1.6-2.redhat_00001.1.el9ea

redhat/eap7-gnu-getopt<0:1.0.13-6.redhat_5.1.el9ea

0:1.0.13-6.redhat_5.1.el9ea

redhat/eap7-gson<0:2.8.9-1.redhat_00001.1.el9ea

0:2.8.9-1.redhat_00001.1.el9ea

redhat/eap7-guava-failureaccess<0:1.0.1-1.redhat_00002.1.el9ea

0:1.0.1-1.redhat_00002.1.el9ea

redhat/eap7-guava-libraries<0:30.1.0-1.1.redhat_00001.1.el9ea

0:30.1.0-1.1.redhat_00001.1.el9ea

redhat/eap7-h2database<0:1.4.197-2.redhat_00004.1.el9ea

0:1.4.197-2.redhat_00004.1.el9ea

redhat/eap7-hal-console<0:3.3.13-1.Final_redhat_00001.1.el9ea

0:3.3.13-1.Final_redhat_00001.1.el9ea

redhat/eap7-hibernate<0:5.3.27-1.Final_redhat_00001.1.el9ea

0:5.3.27-1.Final_redhat_00001.1.el9ea

redhat/eap7-hibernate-beanvalidation-api<0:2.0.2-1.redhat_00001.1.el9ea

0:2.0.2-1.redhat_00001.1.el9ea

redhat/eap7-hibernate-commons-annotations<0:5.0.5-1.1.Final_redhat_00002.1.el9ea

0:5.0.5-1.1.Final_redhat_00002.1.el9ea

redhat/eap7-hibernate-search<0:5.10.7-1.1.Final_redhat_00001.1.el9ea

0:5.10.7-1.1.Final_redhat_00001.1.el9ea

redhat/eap7-hibernate-validator<0:6.0.23-1.Final_redhat_00001.1.el9ea

0:6.0.23-1.Final_redhat_00001.1.el9ea

redhat/eap7-hornetq<0:2.4.8-1.Final_redhat_00001.1.el9ea

0:2.4.8-1.Final_redhat_00001.1.el9ea

redhat/eap7-httpcomponents-asyncclient<0:4.1.4-1.1.redhat_00001.1.el9ea

0:4.1.4-1.1.redhat_00001.1.el9ea

redhat/eap7-httpcomponents-client<0:4.5.13-1.redhat_00001.1.el9ea

0:4.5.13-1.redhat_00001.1.el9ea

redhat/eap7-httpcomponents-core<0:4.4.14-1.redhat_00001.1.el9ea

0:4.4.14-1.redhat_00001.1.el9ea

redhat/eap7-infinispan<0:11.0.15-1.Final_redhat_00001.1.el9ea

0:11.0.15-1.Final_redhat_00001.1.el9ea

redhat/eap7-ironjacamar<0:1.5.3-2.SP1_redhat_00001.1.el9ea

0:1.5.3-2.SP1_redhat_00001.1.el9ea

redhat/eap7-jackson-annotations<0:2.12.6-1.redhat_00001.1.el9ea