CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
782 vulnerabilities reference this CWE, most recent first.
GHSA-WWG2-2CRQ-6GRR
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-06-17 21:38Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@strikeentco/set"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0"
]
}
],
"aliases": [
"CVE-2020-28267"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T21:38:52Z",
"nvd_published_at": "2020-11-10T16:15:00Z",
"severity": "HIGH"
},
"details": "Prototype pollution vulnerability in \u0027@strikeentco/set\u0027 version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-wwg2-2crq-6grr",
"modified": "2022-06-17T21:38:52Z",
"published": "2022-05-24T17:34:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28267"
},
{
"type": "WEB",
"url": "https://github.com/strikeentco/set/commit/102cc6b2e1d1e0c928ced87e75df759d5541ff60"
},
{
"type": "WEB",
"url": "https://github.com/strikeentco/set"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28267"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in @strikeentco/set"
}
GHSA-WWXH-74FX-33C6
Vulnerability from github – Published: 2023-05-01 14:01 – Updated: 2023-05-01 14:01Impact
Possible prototype pollution for the MetadataRecord, when merged with a base class' metadata object, in meta decorator from the @aedart/support package.
The likelihood is questionable, given that a class' metadata can only be set or altered when the class is decorated via meta(). Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.
Patches
Has been patched in version 0.6.1.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@aedart/support"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-30857"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-01T14:01:02Z",
"nvd_published_at": "2023-04-28T21:15:09Z",
"severity": "LOW"
},
"details": "### Impact\n\nPossible prototype pollution for the `MetadataRecord`, when merged with a base class\u0027 metadata object, in `meta` decorator from the `@aedart/support` package.\n\nThe likelihood is questionable, given that a class\u0027 metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.\n### Patches\n\nHas been patched in version `0.6.1`.\n",
"id": "GHSA-wwxh-74fx-33c6",
"modified": "2023-05-01T14:01:02Z",
"published": "2023-05-01T14:01:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30857"
},
{
"type": "WEB",
"url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"
},
{
"type": "PACKAGE",
"url": "https://github.com/aedart/ion"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Possible prototype pollution in metadata record, when using meta decorator"
}
GHSA-WX5G-37JH-9GCR
Vulnerability from github – Published: 2022-10-20 12:00 – Updated: 2022-10-21 19:01Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.
{
"affected": [],
"aliases": [
"CVE-2022-37598"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-20T11:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.",
"id": "GHSA-wx5g-37jh-9gcr",
"modified": "2022-10-21T19:01:14Z",
"published": "2022-10-20T12:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37598"
},
{
"type": "WEB",
"url": "https://github.com/mishoo/UglifyJS/issues/5699"
},
{
"type": "WEB",
"url": "https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604"
},
{
"type": "WEB",
"url": "https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46"
},
{
"type": "WEB",
"url": "https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXFJ-84XF-7GXV
Vulnerability from github – Published: 2023-02-28 06:30 – Updated: 2023-03-08 23:14All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "utilities"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26105"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-06T21:55:12Z",
"nvd_published_at": "2023-02-28T05:15:00Z",
"severity": "HIGH"
},
"details": "All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.",
"id": "GHSA-wxfj-84xf-7gxv",
"modified": "2023-03-08T23:14:00Z",
"published": "2023-02-28T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26105"
},
{
"type": "WEB",
"url": "https://github.com/mde/utilities/issues/29"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-UTILITIES-3184491"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "mde utilities contains Prototype Pollution"
}
GHSA-X2W5-725J-GF2G
Vulnerability from github – Published: 2022-04-20 16:21 – Updated: 2022-05-26 19:43Impact
- An attacker can inject attributes that are used in other components
- An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.
The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.
Patches
The problem is patched in convict@6.2.3. Users should upgrade to convict@6.2.3.
Workarounds
No way for users to fix or remediate the vulnerability without upgrading
References
- https://www.huntr.dev/bounties/1-npm-convict/
-
384
- 3b86be087d8f14681a9c889d45da7fe3ad9cd880
- 1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75
For more information
If you have any questions or comments about this advisory: add your question as a comment in #384
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "convict"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-22143"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-20T16:21:03Z",
"nvd_published_at": "2022-05-01T16:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\n* An attacker can inject attributes that are used in other components\n* An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.\n\nThe main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it\u0027s unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.\n\n### Patches\n\nThe problem is patched in `convict@6.2.3`. Users should upgrade to `convict@6.2.3`.\n\n### Workarounds\n\nNo way for users to fix or remediate the vulnerability without upgrading\n\n### References\n\n* https://www.huntr.dev/bounties/1-npm-convict/\n* #384\n* 3b86be087d8f14681a9c889d45da7fe3ad9cd880\n* 1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75\n\n### For more information\n\nIf you have any questions or comments about this advisory: \nadd your question as a comment in #384 \n",
"id": "GHSA-x2w5-725j-gf2g",
"modified": "2022-05-26T19:43:23Z",
"published": "2022-04-20T16:21:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22143"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/pull/384"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/releases/tag/v6.2.2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-CONVICT-2340604"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/1-npm-convict"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in convict"
}
GHSA-X3CC-X39P-42QX
Vulnerability from github – Published: 2023-06-13 12:44 – Updated: 2023-12-14 22:27Impact
As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.
const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");
let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"
const parser = new XMLParser();
let jObj = parser.parse(XMLdata);
console.log(jObj.polluted) // should return hacked
Patches
The problem has been patched in v4.1.2
Workarounds
User can check for "proto" in the XML string before parsing it to the parser.
References
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26920"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-13T12:44:34Z",
"nvd_published_at": "2023-12-12T17:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\nAs a part of this vulnerability, user was able to se code using `__proto__` as a tag or attribute name.\n\n```js\nconst { XMLParser, XMLBuilder, XMLValidator} = require(\"fast-xml-parser\");\n\nlet XMLdata = \"\u003c__proto__\u003e\u003cpolluted\u003ehacked\u003c/polluted\u003e\u003c/__proto__\u003e\"\n\nconst parser = new XMLParser();\nlet jObj = parser.parse(XMLdata);\n\nconsole.log(jObj.polluted) // should return hacked\n``` \n\n### Patches\nThe problem has been patched in v4.1.2\n\n### Workarounds\nUser can check for \"__proto__\" in the XML string before parsing it to the parser.\n\n### References\nhttps://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7\n",
"id": "GHSA-x3cc-x39p-42qx",
"modified": "2023-12-14T22:27:59Z",
"published": "2023-06-13T12:44:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26920"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804"
},
{
"type": "WEB",
"url": "https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-793h-6f7r-6qvm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name"
}
GHSA-X3M3-4WPV-5VGC
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-25 15:25jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.6"
},
"package": {
"ecosystem": "npm",
"name": "requirejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38999"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-10T16:50:19Z",
"nvd_published_at": "2024-07-01T13:15:05Z",
"severity": "HIGH"
},
"details": "jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function `s.contexts._.configure`. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-x3m3-4wpv-5vgc",
"modified": "2024-07-25T15:25:40Z",
"published": "2024-07-01T15:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38999"
},
{
"type": "WEB",
"url": "https://github.com/requirejs/r.js/issues/1015"
},
{
"type": "WEB",
"url": "https://github.com/requirejs/requirejs/issues/1854"
},
{
"type": "WEB",
"url": "https://github.com/requirejs/requirejs/pull/1856/commits/ebd7a2ff71473542fa132d0d15c10fb4ed1539e1"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a"
},
{
"type": "PACKAGE",
"url": "https://github.com/requirejs/r.js"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-REQUIREJS-5416713"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "jrburke requirejs vulnerable to prototype pollution"
}
GHSA-X3WR-V4WX-5QPC
Vulnerability from github – Published: 2021-06-21 17:14 – Updated: 2022-06-29 20:41Prototype pollution vulnerability in ‘expand-hash’ versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "expand-hash"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25948"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-14T19:29:17Z",
"nvd_published_at": "2021-06-10T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u2018expand-hash\u2019 versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-x3wr-v4wx-5qpc",
"modified": "2022-06-29T20:41:54Z",
"published": "2021-06-21T17:14:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25948"
},
{
"type": "PACKAGE",
"url": "https://github.com/doowb/expand-hash"
},
{
"type": "WEB",
"url": "https://github.com/doowb/expand-hash/blob/556913f6c2f05848110b5b8261cfc78e5ce3dc77/index.js#L19"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25948"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution"
}
GHSA-X5M8-2R8V-8F97
Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-03-29 22:05The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. Note: This vulnerability derives from an incomplete fix for CVE-2020-28283
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "libnested"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25352"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-18T22:57:55Z",
"nvd_published_at": "2022-03-17T12:15:00Z",
"severity": "CRITICAL"
},
"details": "The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930)",
"id": "GHSA-x5m8-2r8v-8f97",
"modified": "2022-03-29T22:05:38Z",
"published": "2022-03-18T00:01:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25352"
},
{
"type": "WEB",
"url": "https://github.com/dominictarr/libnested/commit/c1129865d75fbe52b5a4f755ad3110ca5420f2e1"
},
{
"type": "PACKAGE",
"url": "https://github.com/dominictarr/libnested"
},
{
"type": "WEB",
"url": "https://github.com/dominictarr/libnested/blob/master/index.js%23L22"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-LIBNESTED-2342117"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in libnested"
}
GHSA-X5R6-X823-9848
Vulnerability from github – Published: 2021-05-10 19:15 – Updated: 2023-09-05 22:44npm json-ptr before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the set operation when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json-ptr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7766"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-400",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-19T23:01:34Z",
"nvd_published_at": "2020-11-10T16:15:00Z",
"severity": "HIGH"
},
"details": "npm `json-ptr` before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the [set operation](https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.",
"id": "GHSA-x5r6-x823-9848",
"modified": "2023-09-05T22:44:45Z",
"published": "2021-05-10T19:15:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7766"
},
{
"type": "WEB",
"url": "https://github.com/418sec/json-ptr/pull/3"
},
{
"type": "WEB",
"url": "https://github.com/flitbit/json-ptr/commit/2539e3494c80af1eef24f0f433654a61f255f011"
},
{
"type": "WEB",
"url": "https://github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPTR-1016939"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/2-npm-json-ptr"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/json-ptr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary Code Execution in json-ptr"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.