{
  "threat_severity" : "Moderate",
  "public_date" : "2022-04-12T00:00:00Z",
  "bugzilla" : {
    "description" : "nconf: Prototype pollution in memory store",
    "id" : "2074689",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2074689"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-1321",
  "details" : [ "This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.", "A flaw was found in the nconf library when setting the configuration properties. This flaw allows an attacker to provide a crafted property, leading to prototype object pollution." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8",
    "release_date" : "2022-06-09T00:00:00Z",
    "advisory" : "RHSA-2022:4956",
    "cpe" : "cpe:/a:redhat:acm:2.5::el8",
    "package" : "rhacm2/search-api-rhel8:v2.5.0-25"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/application-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/console-api-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/console-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/grc-ui-api-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/grc-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/kui-web-terminal-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-21803\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-21803\nhttps://github.com/allengayCx/nodegoat/issues/88" ],
  "name" : "CVE-2022-21803",
  "csaw" : false
}