2150323 – (CVE-2022-24999) CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

Bug 2150323 (CVE-2022-24999) - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

Summary: CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-24999
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2151099 2151100 2151101 2152497 2150401 2150805 2150806 2150807 2151097 2151098 2151102 2151103 2151142 2151143 2151144 2151260 2152233 2152235 2152236 2152238 2152239 2152240 2152661 2152662 2152663 2154454 2154838 2154839
Blocks:	2148828
TreeView+	depends on / blocked

Reported:	2022-12-02 14:05 UTC by Borja Tarraso
Modified:	2024-03-18 13:17 UTC (History)
CC List:	151 users (show)
Fixed In Version:	qs 4.17.3, qs 6.9.7, qs 6.8.3, qs 6.7.3, qs 6.6.1, qs 6.5.3, qs 6.4.1, qs 6.3.3, qs 6.2.4, qs 6.10.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.
Clone Of:
Environment:
Last Closed:	2023-01-11 08:32:20 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2023:1546	None	None	None	2023-04-03 12:03:55 UTC
Red Hat Product Errata	RHSA-2023:0050	None	None	None	2023-01-09 14:51:02 UTC
Red Hat Product Errata	RHSA-2023:0612	None	None	None	2023-02-06 19:39:51 UTC
Red Hat Product Errata	RHSA-2023:0794	None	None	None	2023-02-15 21:17:41 UTC
Red Hat Product Errata	RHSA-2023:0930	None	None	None	2023-03-08 14:01:38 UTC
Red Hat Product Errata	RHSA-2023:0932	None	None	None	2023-03-08 14:06:38 UTC
Red Hat Product Errata	RHSA-2023:0934	None	None	None	2023-02-28 00:50:45 UTC
Red Hat Product Errata	RHSA-2023:1428	None	None	None	2023-03-23 02:16:18 UTC
Red Hat Product Errata	RHSA-2023:1533	None	None	None	2023-03-30 12:35:53 UTC
Red Hat Product Errata	RHSA-2023:1742	None	None	None	2023-04-12 14:58:40 UTC
Red Hat Product Errata	RHSA-2023:3265	None	None	None	2023-05-23 09:17:32 UTC
Red Hat Product Errata	RHSA-2023:3645	None	None	None	2023-06-15 20:56:24 UTC

Description Borja Tarraso 2022-12-02 14:05:34 UTC

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs.7" in its release description, is not vulnerable).

Comment 3 Avinash Hanwate 2022-12-06 06:37:48 UTC

Created breeze-icon-theme tracking bugs for this issue:

Affects: epel-8 [bug 2151099]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2151097]


Created nodejs-qs tracking bugs for this issue:

Affects: fedora-all [bug 2151103]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2151100]


Created qpid-dispatch tracking bugs for this issue:

Affects: epel-7 [bug 2151098]
Affects: epel-8 [bug 2151101]


Created seamonkey tracking bugs for this issue:

Affects: epel-8 [bug 2151102]

Comment 22 errata-xmlrpc 2023-01-09 14:50:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050

Comment 24 Product Security DevOps Team 2023-01-11 08:32:11 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24999

Comment 25 errata-xmlrpc 2023-02-06 19:39:44 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612

Comment 26 errata-xmlrpc 2023-02-15 21:17:34 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:0794 https://access.redhat.com/errata/RHSA-2023:0794

Comment 27 errata-xmlrpc 2023-02-28 00:50:39 UTC

This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934

Comment 28 errata-xmlrpc 2023-03-08 14:01:31 UTC

This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2023:0930 https://access.redhat.com/errata/RHSA-2023:0930

Comment 29 errata-xmlrpc 2023-03-08 14:06:30 UTC

This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0932 https://access.redhat.com/errata/RHSA-2023:0932

Comment 31 errata-xmlrpc 2023-03-23 02:16:12 UTC

This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428

Comment 32 errata-xmlrpc 2023-03-30 12:35:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533

Comment 33 errata-xmlrpc 2023-04-12 14:58:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742

Comment 34 errata-xmlrpc 2023-05-23 09:17:25 UTC

This issue has been addressed in the following products:

  RHODF-4.12-RHEL-8

Via RHSA-2023:3265 https://access.redhat.com/errata/RHSA-2023:3265

Comment 35 errata-xmlrpc 2023-06-15 20:56:16 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.2 for RHEL 8

Via RHSA-2023:3645 https://access.redhat.com/errata/RHSA-2023:3645

Note You need to log in before you can comment on or make changes to this bug.

adudiak
aileenc
alazarot
andrew.slice
aoconnor
asoldano
balejosg
bbaranow
bbuckingham
bcoca
bcourt
bdettelb
bmaxwell
bniver
bodavis
brian.stansberry
btotty
caswilli
cdewolf
chazlett
cwelton
darran.lofthouse
davidn
dbhole
dcadzow
dffrench
dhalasz
dkenigsb
dkreling
dkuc
dosoudil
dymurray
ehelms
ellin
emartyny
emingora
epacific
eric.wittmann
etamir
fdeutsch
fjansen
fjuma
flucifre
gjospin
gmalinko
gmeno
gparvin
gzaronik
hhorak
hkataria
ibek
ibolton
idm-ds-dev-bugs
ivassile
iweiss
janstey
jburrell
jcammara
jcantril
jhardy
jkoehler
jmatthew
jmontleo
jneedle
jobarker
jorton
jpavlik
jrokos
jshaughn
jsherril
jstanek
jstastny
jwendell
jwong
jwon
kanderso
kaycoth
kshier
kverlaen
lgao
lvaleeva
lzap
mabashia
mbenjamin
mhackett
mhulan
micjohns
mnovotny
mosmerov
msochure
msvehla
myarboro
nbecker
nboldt
ngough
njean
nmoumoul
nodejs-maint
nwallace
ocs-bugs
omajid
orabin
oramraz
osapryki
oskutka
ovanders
owatkins
pahickey
pantinor
pcreech
pdelbell
peholase
periklis
pjindal
pmackay
psegedy
rcernich
rchan
rgarg
rgodfrey
rguimara
rrajasek
rstancel
rwagner
saroy
scorneli
sfowler
shbose
simaishi
slucidi
smaestri
smcdonal
smullick
sostapov
sseago
stcannon
sthirugn
teagle
tfister
tkasparek
tom.jenkinson
tsasak
twalsh
ubhargav
vereddy
vkrizan
vkumar
vmugicag
yguenane
zsadeh
zsvetlik