Vulnerability Name:

CVE-2021-44906 (CCN-222195)

Assigned:2020-03-11
Published:2020-03-11
Updated:2022-04-12
Summary:Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.8 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
5.1 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
9.8 Critical (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.8 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-1321
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-44906

Source: CCN
Type: Red Hat Bugzilla – Bug 2066009
(CVE-2021-44906) - CVE-2021-44906 minimist: prototype pollution

Source: XF
Type: UNKNOWN
nodejs-cve202144906-code-exec(222195)

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/substack/minimist/blob/master/index.js#L69

Source: MISC
Type: Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/substack/minimist/issues/164

Source: CCN
Type: SNYK-JS-MINIMIST-2429795
Prototype Pollution

Source: CCN
Type: SNYK-JS-MINIMIST-559764
Prototype Pollution

Source: MISC
Type: Exploit, Not Applicable, Patch, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MINIMIST-559764

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068

Source: CCN
Type: IBM Security Bulletin 6570939 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6596915 (Cloud Pak for Business Automation)
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022

Source: CCN
Type: IBM Security Bulletin 6601101 (App Connect Enterprise)
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2022-44906)

Source: CCN
Type: IBM Security Bulletin 6610082 (Db2 On Openshift)
Multiple vulnerabilities affect IBM Db2 On Openshift, IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6614909 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6827633 (Security QRadar Analyst Workflow)
IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6830017 (QRadar Pulse App)
QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6832944 (Business Automation Manager Open Editions)
Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.1

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6854713 (Voice Gateway)
Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6857803 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6965290 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2020-7789, CVE-2020-7598, CVE-2021-44906 , XFID: 216835, XFID: 220063)

Source: CCN
Type: IBM Security Bulletin 6980797 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6991575 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: IBM Security Bulletin 7008939 (Security Verify Governance)
Multiple vulnerabilities fixed in IBM Security Verify Governance - Identity Manager Virtual Appliance

Source: CCN
Type: NPM Web site
minimist

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-44906

Vulnerable Configuration:Configuration 1:
  • cpe:/a:substack:minimist:*:*:*:*:*:node.js:*:* (Version < 1.2.6)

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:4.5:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20230321
    P
    		RHSA-2023:0321: nodejs and nodejs-nodemon security, bug fix, and enhancement update (Moderate)
    2023-01-23
    oval:com.redhat.rhsa:def:20230050
    P
    		RHSA-2023:0050: nodejs:14 security, bug fix, and enhancement update (Moderate)
    2023-01-09
    oval:com.redhat.rhsa:def:20229073
    P
    		RHSA-2022:9073: nodejs:16 security, bug fix, and enhancement update (Moderate)
    2022-12-15
    oval:org.opensuse.security:def:483
    P
    		Security update for nodejs8 (Moderate)
    2022-05-17
    oval:org.opensuse.security:def:119580
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:484
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:119395
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:119205
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:118898
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:118708
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:119384
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:118886
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:102277
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119194
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:118696
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:118887
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:102278
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:457
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:118697
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119568
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:1717
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:458
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119383
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119569
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119193
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:1718
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    BACK
    substack minimist *
    nodejs node.js *
    ibm app connect 11.0.0.0
    ibm integration bus 10.0.0.0
    ibm cognos analytics 11.1
    ibm watson discovery 2.0.0
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm voice gateway 1.0.5
    ibm voice gateway 1.0.7
    ibm watson discovery 2.2.1
    ibm app connect enterprise 12.0.1.0
    ibm cognos analytics 11.2
    ibm db2 warehouse 3.5 -
    ibm db2 warehouse 4.0 -
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm security verify governance 10.0
    ibm db2 warehouse 4.5 -