Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
References
Link | Resource |
---|---|
https://hackerone.com/reports/1431042 | Issue Tracking Mitigation Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html | Mailing List Third Party Advisory |
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/ | Release Notes Vendor Advisory |
https://security.netapp.com/advisory/ntap-20220325-0007/ | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20220729-0004/ | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5170 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
10 Nov 2022, 03:48
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html - Mailing List, Third Party Advisory |
06 Oct 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Jul 2022, 02:19
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* |
|
First Time |
Oracle mysql Server
Oracle mysql Cluster Oracle mysql Workbench Debian Oracle mysql Connectors Debian debian Linux Netapp Netapp snapcenter Netapp oncommand Workflow Automation Netapp oncommand Insight Oracle Oracle mysql Enterprise Monitor Oracle peoplesoft Enterprise Peopletools |
|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20220729-0004/ - Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2022/dsa-5170 - Third Party Advisory |
29 Jul 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Jul 2022, 18:19
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Jun 2022, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
18 Apr 2022, 18:36
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20220325-0007/ - Third Party Advisory |
25 Mar 2022, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Mar 2022, 13:57
Type | Values Removed | Values Added |
---|---|---|
CPE |
08 Mar 2022, 16:41
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/ - Release Notes, Vendor Advisory | |
References | (MISC) https://hackerone.com/reports/1431042 - Issue Tracking, Mitigation, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 6.4
v3 : 8.2 |
CPE | cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* cpe:2.3:a:nodejs:node.js:*:*:*:*:ts:*:*:* cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
|
CWE | CWE-1321 | |
First Time |
Nodejs
Nodejs node.js |
24 Feb 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-02-24 19:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-21824
Mitre link : CVE-2022-21824
CVE.ORG link : CVE-2022-21824
JSON object : View
Products Affected
oracle
- mysql_connectors
- mysql_server
- mysql_workbench
- mysql_cluster
- peoplesoft_enterprise_peopletools
- mysql_enterprise_monitor
debian
- debian_linux
netapp
- oncommand_insight
- snapcenter
- oncommand_workflow_automation
nodejs
- node.js