CVE-2021-21297

Beschreibung:
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.

CWE: CWE-400

CVSS-Bewertung
CVSS 2: MEDIUM – 4 (Version: 2.0)
CVSS 3: MEDIUM – 6.5 (Version: 3.1)

Links:

NVD – CVE-2021-21297
CVE – CVE-2021-21297

Link (max. 20) Quelle Tags
https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82×8-7f67 CONFIRM Third Party Advisory Third Party Advisory
https://www.npmjs.com/package/@node-red/runtime MISC Release Notes Third Party Advisory
https://www.npmjs.com/package/@node-red/editor-api MISC Release Notes Third Party Advisory
https://github.com/node-red/node-red/releases/tag/1.2.8 MISC Release Notes Third Party Advisory
[kafka-jira] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-dev] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr opened a new pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[druid-commits] 20210302 [GitHub] [druid] a2l007 opened a new pull request #10937: Upgrade jetty to latest version MLIST Mailing List Third Party Advisory
[kafka-jira] 20210302 [GitHub] [kafka] ableegoldman commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-commits] 20210302 [kafka] branch 2.8 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E MISC Mailing List Third Party Advisory
https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E MISC Mailing List Third Party Advisory
[activemq-gitbox] 20210303 [GitHub] [activemq] ehossack-aws opened a new pull request #616: Upgrade to Jetty 9.4.38.v20210224 MLIST Mailing List Third Party Advisory
[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing – Jetty 9.4.35.v20201120 – CVE-2020-27223 MLIST Mailing List Third Party Advisory
[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1624: ZOOKEEPER-4233: dependency-check:check failing – Jetty 9.4.35.v20201120 – CVE-2020-27223 MLIST Mailing List Third Party Advisory

Quelle: NVD – CVE-2021-21297
Datum Veröffentlichung: 2021-02-26T17:15Z, Datum letzte Änderung: 2021-05-10T22:07Z