CVE-2020-7598: Input Validation
First published: Tue Mar 10 2020(Updated: )
A flaw was found in nodejs-minimist, where it was tricked into adding or modifying properties of the Object.prototype using a "constructor" or "__proto__" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jaeger | <0:v1.13.1.redhat7-1.el7 | 0:v1.13.1.redhat7-1.el7 |
| redhat/kiali | <0:v1.0.11.redhat1-1.el7 | 0:v1.0.11.redhat1-1.el7 |
| redhat/servicemesh-grafana | <0:6.2.2-36.el8 | 0:6.2.2-36.el8 |
| redhat/atomic-openshift-web-console | <0:3.11.248-1.git.1.cc96c2d.el7 | 0:3.11.248-1.git.1.cc96c2d.el7 |
| redhat/rh-nodejs12-nodejs | <0:12.18.2-1.el7 | 0:12.18.2-1.el7 |
| redhat/rh-nodejs10-nodejs | <0:10.21.0-3.el7 | 0:10.21.0-3.el7 |
| redhat/ovirt-engine-ui-extensions | <0:1.2.2-1.el8e | 0:1.2.2-1.el8e |
| redhat/minimist | <1.2.3 | 1.2.3 |
| npm/minimist | >=1.0.0<1.2.3 | 1.2.3 |
| npm/minimist | <0.2.1 | 0.2.1 |
| Substack Minimist | <1.2.2 | |
| openSUSE Leap | =15.1 | |
| IBM Engineering Requirements Quality Assistant On-Premises | <=All |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-7598 https://nvd.nist.gov/vuln/detail/CVE-2020-7598 https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://bugzilla.redhat.com/show_bug.cgi?id=1813344
- https://access.redhat.com/errata/RHSA-2020:2362
- https://access.redhat.com/errata/RHSA-2020:2848
- https://access.redhat.com/errata/RHSA-2020:2852
- https://access.redhat.com/errata/RHSA-2020:3042
- https://access.redhat.com/errata/RHSA-2020:2847
- https://access.redhat.com/errata/RHSA-2020:2849
- https://access.redhat.com/errata/RHSA-2020:2992
- https://access.redhat.com/errata/RHSA-2020:4298
- https://access.redhat.com/errata/RHSA-2021:2643
- https://access.redhat.com/errata/RHSA-2020:2895
- https://access.redhat.com/errata/RHSA-2020:3084
- https://access.redhat.com/errata/RHSA-2020:3247
- https://access.redhat.com/security/cve/cve-2020-7598
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1813346
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1813347
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1813345
- https://github.com/nodejs/node/commit/40b559a376ae1db031132a86a76834decf6f0c2d
- https://github.com/npm/cli/commit/9c554fd8cd1e9aeb8eb122ccfa3c78d12af4097a
- https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab
- https://nvd.nist.gov/vuln/detail/CVE-2020-7598
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
- https://www.npmjs.com/advisories/1179
- https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68
- https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab
- https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95
- https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
- https://github.com/advisories/GHSA-vh95-rmgr-6w4m (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/177780
- https://www.ibm.com/support/pages/node/6398724 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-7598?
CVE-2020-7598 is a vulnerability in minimist before version 1.2.2 that can be tricked into adding or modifying properties of Object.prototype.
What is the impact of CVE-2020-7598?
The highest threat from CVE-2020-7598 is to confidentiality, integrity, as well as system availability.
How can I fix CVE-2020-7598?
To fix CVE-2020-7598, update to minimist version 1.2.3.
Where can I find more information about CVE-2020-7598?
You can find more information about CVE-2020-7598 at the following references: [Reference 1](https://snyk.io/vuln/SNYK-JS-MINIMIST-559764), [Reference 2](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1813346).
What is the severity of CVE-2020-7598?
The severity of CVE-2020-7598 is medium with a CVSS score of 5.6.
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-7598
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vh95-rmgr-6w4m
- agent/last-modified-date
- collector/github-advisory
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/ibm-support
- source/IBM
- agent/references
- agent/event
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- package-manager/npm
- vendor/substack
- canonical/substack minimist
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/ibm
- canonical/ibm engineering requirements quality assistant on-premises
- version/ibm engineering requirements quality assistant on-premises/all