Vulnerability CVE-2020-7774

Vulnerability Name:

CVE-2020-7774 (CCN-191999)

Assigned:

2020-10-25

Published:

2020-10-25

Updated:

2022-12-02

Summary:

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

CVSS v3 Severity:

7.3 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

7.3 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-915

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-7774

Source: report@snyk.io
Type: Patch, Third Party Advisory
report@snyk.io

Source: XF
Type: UNKNOWN
nodejs-cve20207774-code-exec(191999)

Source: report@snyk.io
Type: Exploit, Third Party Advisory
report@snyk.io

Source: report@snyk.io
Type: Patch, Third Party Advisory
report@snyk.io

Source: CCN
Type: Node.js Blog, 2021-04-06
April 2021 Security Releases

Source: report@snyk.io
Type: Exploit, Third Party Advisory
report@snyk.io

Source: CCN
Type: SNYK-JS-Y18N-1021887
Prototype Pollution

Source: report@snyk.io
Type: Exploit, Third Party Advisory
report@snyk.io

Source: CCN
Type: IBM Security Bulletin 6412225 (App Connect Enterprise)
Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7774)

Source: CCN
Type: IBM Security Bulletin 6412345 (Cloud Pak for Automation)
Multiple vulnerabilities affect IBM Cloud Pak for Automation

Source: CCN
Type: IBM Security Bulletin 6415863 (Cloud Automation Manager)
A security vulnerability in Node.js y18n module affects IBM Cloud Automation Manager.

Source: CCN
Type: IBM Security Bulletin 6416159 (Cloud Pak for Multicloud Management)
A security vulnerability in Node.js y18n module affects IBM Cloud Pak for Multicloud Management.

Source: CCN
Type: IBM Security Bulletin 6453115 (Cloud Pak for Security)
Cloud Pak for Security contains security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6467073 (Business Automation Workflow)
Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and Business Process Manager (BPM)

Source: CCN
Type: IBM Security Bulletin 6476334 (WA for ICP)
Potential vulnerability with Node.js

Source: CCN
Type: IBM Security Bulletin 6481673 (DataPower Gateway)
Prototype pollution flaw in y18n in IBM DataPower Gateway

Source: CCN
Type: IBM Security Bulletin 6507095 (Planning Analytics)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6591203 (Netcool Agile Service Manager)
Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager

Source: CCN
Type: IBM Security Bulletin 6602309 (UrbanCode Velocity)
CVE-2020-7774

Source: CCN
Type: IBM Security Bulletin 6610082 (Db2 On Openshift)
Multiple vulnerabilities affect IBM Db2 On Openshift, IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6612727 (Cloud Pak System Software)
Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6825871 (Tivoli Netcool/OMNIbus_GUI)
Multiple vulnerabilities in React, webpack and Node.js modules affect Tivoli Netcool/OMNIbus WebGUI

Source: CCN
Type: IBM Security Bulletin 6991649 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: NPM Web site
y18n

Source: report@snyk.io
Type: Patch, Third Party Advisory
report@snyk.io

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-7774

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:business_process_manager:8.5:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*

OR cpe:/a:ibm:business_process_manager:8.6:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:10:*:*:*:*:*:*:*

OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect:11:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:2018.4.1.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:12:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:14.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:18.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:19.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect_enterprise:11.0.0.10:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.4.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.0.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*

OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:db2_warehouse:4.5:-:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8182	P	Security update for terraform-provider-helm (Important)	2023-06-21
oval:org.opensuse.security:def:8159	P	Security update for terraform-provider-null (Important)	2023-06-21
oval:org.opensuse.security:def:8157	P	Security update for terraform-provider-aws (Important)	2023-06-21
oval:org.opensuse.security:def:8181	P	Security update for terraform-provider-null (Important)	2023-06-21
oval:org.opensuse.security:def:8160	P	Security update for python-Flask (Important)	2023-05-22
oval:org.opensuse.security:def:8158	P	Security update for openvswitch (Important)	2023-05-19
oval:org.opensuse.security:def:8156	P	Security update for openvswitch (Important)	2023-05-19
oval:org.opensuse.security:def:6121	P	Security update for libgda (Important) (in QA)	2022-08-31
oval:org.opensuse.security:def:6094	P	Security update for squid (Important)	2022-07-12
oval:org.opensuse.security:def:99503	P	(Important)	2022-03-23
oval:org.opensuse.security:def:113037	P	nodejs14-14.17.5-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99710	P	(Moderate)	2021-12-28
oval:org.opensuse.security:def:99702	P	(Important)	2021-12-06
oval:org.opensuse.security:def:100019	P	(Important)	2021-11-22
oval:org.opensuse.security:def:93111	P	(Moderate)	2021-11-09
oval:org.opensuse.security:def:100011	P	(Moderate)	2021-11-04
oval:org.opensuse.security:def:106478	P	nodejs14-14.17.5-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:93264	P	(Important)	2021-09-03
oval:org.opensuse.security:def:110997	P	Security update for nodejs8 (Important)	2021-08-10
oval:org.opensuse.security:def:9562	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:91975	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:99312	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:69249	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:96124	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:118577	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:111653	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:10126	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:92362	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:102815	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:69512	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:76278	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:92760	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:8814	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:69901	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:96125	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:9372	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:70452	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:99120	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:109480	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:9761	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:92170	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:99511	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:67210	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:10312	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:92561	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:8628	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:69702	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:69248	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:109481	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:92958	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:118576	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:102814	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:9009	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:70266	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:98925	P	Security update for nodejs8 (Important)	2021-08-05
oval:org.opensuse.security:def:110973	P	Security update for nodejs12 (Important)	2021-07-19
oval:org.opensuse.security:def:110975	P	Security update for nodejs14 (Important)	2021-07-19
oval:org.opensuse.security:def:110976	P	Security update for nodejs10 (Important)	2021-07-19
oval:org.opensuse.security:def:109478	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:76251	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:92752	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:8806	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:69893	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:93103	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:9364	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:70444	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:99112	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:69246	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:109479	P	Security update for nodejs14 (Important)	2021-07-15
oval:org.opensuse.security:def:118574	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:9753	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:92162	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:102812	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:67183	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:10304	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:92553	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:8620	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:69694	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:69247	P	Security update for nodejs14 (Important)	2021-07-15
oval:org.opensuse.security:def:96122	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:92950	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:118575	P	Security update for nodejs14 (Important)	2021-07-15
oval:org.opensuse.security:def:111623	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:102813	P	Security update for nodejs14 (Important)	2021-07-15
oval:org.opensuse.security:def:9001	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:70258	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:69271	P	Security update for nodejs14 (Important)	2021-07-15
oval:org.opensuse.security:def:98917	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:93256	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:102265	P	Security update for nodejs14 (Important)	2021-07-15
oval:org.opensuse.security:def:9554	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:91967	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:99304	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:96123	P	Security update for nodejs14 (Important)	2021-07-15
oval:org.opensuse.security:def:111624	P	Security update for nodejs14 (Important)	2021-07-15
oval:org.opensuse.security:def:10118	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:92354	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:69504	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:69245	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:118573	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:102811	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:20971	P	Security update for nodejs14 (Important)	2021-07-14
oval:org.opensuse.security:def:49444	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:96121	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:111621	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:69270	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:20972	P	Security update for nodejs10 (Important)	2021-07-14
oval:org.opensuse.security:def:102264	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:49442	P	Security update for nodejs14 (Important)	2021-07-14
oval:org.opensuse.security:def:20973	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:109477	P	Security update for nodejs12 (Important)	2021-07-14
oval:org.opensuse.security:def:49443	P	Security update for nodejs10 (Important)	2021-07-14
oval:com.redhat.rhsa:def:20210548	P	RHSA-2021:0548: nodejs:10 security update (Moderate)	2021-02-16
oval:com.redhat.rhsa:def:20210551	P	RHSA-2021:0551: nodejs:14 security and bug fix update (Moderate)	2021-02-16
oval:com.redhat.rhsa:def:20205499	P	RHSA-2020:5499: nodejs:12 security and bug fix update (Moderate)	2020-12-15

BACK