CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
783 vulnerabilities reference this CWE, most recent first.
GHSA-GH4X-QV3P-M9PM
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-05 17:41akbr patch-into version 1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@akbr/patch-into"
},
"versions": [
"1.0.1"
]
}
],
"aliases": [
"CVE-2024-38991"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-01T21:30:34Z",
"nvd_published_at": "2024-07-01T13:15:04Z",
"severity": "HIGH"
},
"details": "akbr patch-into version 1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-gh4x-qv3p-m9pm",
"modified": "2024-07-05T17:41:35Z",
"published": "2024-07-01T15:32:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38991"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/8851413e3b33a96f191f0e9c81706532"
},
{
"type": "PACKAGE",
"url": "github.com/akbr/patch-into"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "akbr patch-into was discovered to contain a prototype pollution via the function patchInto"
}
GHSA-GHGH-MC9F-W47R
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 18:31A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
{
"affected": [],
"aliases": [
"CVE-2024-57069"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-05T22:15:31Z",
"severity": "HIGH"
},
"details": "A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
"id": "GHSA-ghgh-mc9f-w47r",
"modified": "2025-02-06T18:31:05Z",
"published": "2025-02-06T06:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57069"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/68e06b00e3258d0d427257c6906bd300"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GHR5-CH3P-VCR6
Vulnerability from github – Published: 2024-04-28 18:30 – Updated: 2024-08-02 15:45The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-33883"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-01T08:25:03Z",
"nvd_published_at": "2024-04-28T16:15:23Z",
"severity": "MODERATE"
},
"details": "The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.",
"id": "GHSA-ghr5-ch3p-vcr6",
"modified": "2024-08-02T15:45:51Z",
"published": "2024-04-28T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33883"
},
{
"type": "WEB",
"url": "https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mde/ejs"
},
{
"type": "WEB",
"url": "https://github.com/mde/ejs/compare/v3.1.9...v3.1.10"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240605-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ejs lacks certain pollution protection"
}
GHSA-GJM5-83CW-P3P2
Vulnerability from github – Published: 2022-01-12 22:59 – Updated: 2022-01-11 18:11The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "extend2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23568"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-11T18:11:48Z",
"nvd_published_at": "2022-01-10T14:10:00Z",
"severity": "HIGH"
},
"details": "The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.",
"id": "GHSA-gjm5-83cw-p3p2",
"modified": "2022-01-11T18:11:48Z",
"published": "2022-01-12T22:59:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23568"
},
{
"type": "WEB",
"url": "https://github.com/eggjs/extend2/pull/2"
},
{
"type": "WEB",
"url": "https://github.com/eggjs/extend2/commit/aa332a59116c8398976434b57ea477c6823054f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/eggjs/extend2"
},
{
"type": "WEB",
"url": "https://github.com/eggjs/extend2/blob/master/index.js%23L50-L60"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-EXTEND2-2320315"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in extend2"
}
GHSA-GM2V-MF3R-56JR
Vulnerability from github – Published: 2024-06-17 15:30 – Updated: 2024-07-03 18:45A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index.
{
"affected": [],
"aliases": [
"CVE-2024-36583"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-17T14:15:10Z",
"severity": "HIGH"
},
"details": "A Prototype Pollution issue in byondreal accessor \u003c= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index.",
"id": "GHSA-gm2v-mf3r-56jr",
"modified": "2024-07-03T18:45:36Z",
"published": "2024-06-17T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36583"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/97bc2fbfbcbde3a54d5536c9adeee34c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GM8G-XHH8-RMWR
Vulnerability from github – Published: 2021-05-10 19:17 – Updated: 2021-04-19 22:22This affects the package doc-path before 2.1.2.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "doc-path"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7772"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-19T22:22:45Z",
"nvd_published_at": "2020-11-15T15:15:00Z",
"severity": "CRITICAL"
},
"details": "This affects the package doc-path before 2.1.2.",
"id": "GHSA-gm8g-xhh8-rmwr",
"modified": "2021-04-19T22:22:45Z",
"published": "2021-05-10T19:17:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7772"
},
{
"type": "WEB",
"url": "https://github.com/mrodrig/doc-path/commit/3e2bb168cf303bffcd7fae5f8d05e5300c1541c7"
},
{
"type": "WEB",
"url": "https://github.com/mrodrig/doc-path/blob/stable/src/path.js%23L54"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DOCPATH-1011952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in doc-path"
}
GHSA-GMJW-49P4-PCFM
Vulnerability from github – Published: 2021-03-12 22:44 – Updated: 2021-03-12 16:57Impact
The issue is as follows: when msgpack5 decodes a map containing a
key "__proto__", it assigns the decoded value to __proto__. As you
are no doubt aware, Object.prototype.__proto__ is an accessor
property for the receiver's prototype. If the value corresponding to
the key __proto__ decodes to an object or null, msgpack5 sets
the decoded object's prototype to that value.
An attacker who can submit crafted MessagePack data to a service can
use this to produce values that appear to be of other types; may have
unexpected prototype properties and methods (for example length,
numeric properties, and push et al if __proto__'s value decodes to
an Array); and/or may throw unexpected exceptions when used (for
example if the __proto__ value decodes to a Map or Date). Other
unexpected behavior might be produced for other types.
There is no effect on the global prototype.
An example:
const msgpack5 = require('msgpack5')();
const payload = {};
Object.defineProperty(payload, '__proto__', {
value: new Map().set(1, 2),
enumerable: true
});
const encoded = msgpack5.encode(payload);
console.log(encoded); // <Buffer 81 a9 5f 5f 70 72 6f 74 6f 5f 5f 81 01 02>
const decoded = msgpack5.decode(encoded);
// decoded's prototype has been overwritten
console.log(Object.getPrototypeOf(decoded)); // Map(1) { 1 => 2 }
console.log(decoded.get); // [Function: get]
// decoded appears to most common typechecks to be a Map
console.log(decoded instanceof Map); // true
console.log(decoded.toString()); // [object Map]
console.log(Object.prototype.toString.call(decoded)); // [object Map]
console.log(decoded.constructor.name); // Map
console.log(Object.getPrototypeOf(decoded).constructor.name); // Map
// decoded is not, however, a Map
console.log(Object.getPrototypeOf(decoded) === Map.prototype); // false
// using decoded as though it were a Map throws
try {
decoded.get(1);
} catch (error) {
console.log(error); // TypeError: Method Map.prototype.get called
// on incompatible receiver #<Map>
}
try {
decoded.size;
} catch (error) {
console.log(error); // TypeError: Method get Map.prototype.size
// called on incompatible receiver #<Map>
}
// re-encoding the decoded value throws
try {
msgpack5.encode(decoded);
} catch (error) {
console.log(error); // TypeError: Method Map.prototype.entries
// called on incompatible receiver #<Map>
}
This "prototype poisoning" is sort of a very limited inversion of a
prototype pollution attack. Only the decoded value's prototype is
affected, and it can only be set to msgpack5 values (though if the
victim makes use of custom codecs, anything could be a msgpack5
value). We have not found a way to escalate this to true prototype
pollution (absent other bugs in the consumer's code).
Patches
Versions v5.2.1, v4.5.1, v3.6.1 include the fix.
Workarounds
Always validate incoming data after parsing before doing any processing.
For more information
If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "msgpack5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "msgpack5"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "msgpack5"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21368"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-12T16:57:44Z",
"nvd_published_at": "2021-03-12T17:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe issue is as follows: when `msgpack5` decodes a map containing a \nkey `\"__proto__\"`, it assigns the decoded value to `__proto__`. As you \nare no doubt aware, `Object.prototype.__proto__` is an accessor \nproperty for the receiver\u0027s prototype. If the value corresponding to \nthe key `__proto__` decodes to an object or `null`, `msgpack5` sets \nthe decoded object\u0027s prototype to that value. \n\nAn attacker who can submit crafted MessagePack data to a service can \nuse this to produce values that appear to be of other types; may have \nunexpected prototype properties and methods (for example `length`, \nnumeric properties, and `push` et al if `__proto__`\u0027s value decodes to \nan `Array`); and/or may throw unexpected exceptions when used (for \nexample if the `__proto__` value decodes to a `Map` or `Date`). Other \nunexpected behavior might be produced for other types. \n\nThere is no effect on the global prototype.\n\nAn example: \n\n```js \nconst msgpack5 = require(\u0027msgpack5\u0027)(); \n\nconst payload = {}; \nObject.defineProperty(payload, \u0027__proto__\u0027, { \nvalue: new Map().set(1, 2), \nenumerable: true \n}); \n\nconst encoded = msgpack5.encode(payload); \nconsole.log(encoded); // \u003cBuffer 81 a9 5f 5f 70 72 6f 74 6f 5f 5f 81 01 02\u003e \n\nconst decoded = msgpack5.decode(encoded); \n\n// decoded\u0027s prototype has been overwritten \nconsole.log(Object.getPrototypeOf(decoded)); // Map(1) { 1 =\u003e 2 } \nconsole.log(decoded.get); // [Function: get] \n\n// decoded appears to most common typechecks to be a Map \nconsole.log(decoded instanceof Map); // true \nconsole.log(decoded.toString()); // [object Map] \nconsole.log(Object.prototype.toString.call(decoded)); // [object Map] \nconsole.log(decoded.constructor.name); // Map \nconsole.log(Object.getPrototypeOf(decoded).constructor.name); // Map \n\n// decoded is not, however, a Map \nconsole.log(Object.getPrototypeOf(decoded) === Map.prototype); // false \n\n// using decoded as though it were a Map throws \ntry { \ndecoded.get(1); \n} catch (error) { \nconsole.log(error); // TypeError: Method Map.prototype.get called \n// on incompatible receiver #\u003cMap\u003e \n} \ntry { \ndecoded.size; \n} catch (error) { \nconsole.log(error); // TypeError: Method get Map.prototype.size \n// called on incompatible receiver #\u003cMap\u003e \n} \n\n// re-encoding the decoded value throws \ntry { \nmsgpack5.encode(decoded); \n} catch (error) { \nconsole.log(error); // TypeError: Method Map.prototype.entries \n// called on incompatible receiver #\u003cMap\u003e \n} \n``` \n\nThis \"prototype poisoning\" is sort of a very limited inversion of a \nprototype pollution attack. Only the decoded value\u0027s prototype is \naffected, and it can only be set to `msgpack5` values (though if the \nvictim makes use of custom codecs, anything could be a `msgpack5` \nvalue). We have not found a way to escalate this to true prototype \npollution (absent other bugs in the consumer\u0027s code). \n\n### Patches\n\nVersions v5.2.1, v4.5.1, v3.6.1 include the fix.\n\n### Workarounds\n\nAlways validate incoming data after parsing before doing any processing.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)",
"id": "GHSA-gmjw-49p4-pcfm",
"modified": "2021-03-12T16:57:44Z",
"published": "2021-03-12T22:44:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mcollina/msgpack5/security/advisories/GHSA-gmjw-49p4-pcfm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21368"
},
{
"type": "WEB",
"url": "https://github.com/mcollina/msgpack5/commit/d4e6cb956ae51c8bb2828e71c7c1107c340cf1e8"
},
{
"type": "WEB",
"url": "https://github.com/mcollina/msgpack5/releases/tag/v3.6.1"
},
{
"type": "WEB",
"url": "https://github.com/mcollina/msgpack5/releases/tag/v4.5.1"
},
{
"type": "WEB",
"url": "https://github.com/mcollina/msgpack5/releases/tag/v5.2.1"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/msgpack5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype poisoning"
}
GHSA-GMWP-3PWC-3J3G
Vulnerability from github – Published: 2022-10-12 19:00 – Updated: 2023-07-28 21:01Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mockery"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37614"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-28T21:01:11Z",
"nvd_published_at": "2022-10-12T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js.",
"id": "GHSA-gmwp-3pwc-3j3g",
"modified": "2023-07-28T21:01:11Z",
"published": "2022-10-12T19:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37614"
},
{
"type": "WEB",
"url": "https://github.com/mfncooper/mockery/issues/77"
},
{
"type": "PACKAGE",
"url": "https://github.com/mfncooper/mockery"
},
{
"type": "WEB",
"url": "https://github.com/mfncooper/mockery/blob/822f0566fd6d72af8c943ae5ca2aa92e516aa2cf/mockery.js#L119"
},
{
"type": "WEB",
"url": "https://github.com/mfncooper/mockery/blob/822f0566fd6d72af8c943ae5ca2aa92e516aa2cf/mockery.js#L62"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "mockery is vulnerable to prototype pollution"
}
GHSA-GPVC-MX6G-CCHV
Vulnerability from github – Published: 2023-08-01 06:30 – Updated: 2023-08-01 19:47Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like __proto__.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "underscore-keypath"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.11"
},
{
"last_affected": "0.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26139"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-01T19:47:09Z",
"nvd_published_at": "2023-08-01T05:15:34Z",
"severity": "HIGH"
},
"details": "Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the `setProperty()` function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like `__proto__`.",
"id": "GHSA-gpvc-mx6g-cchv",
"modified": "2023-08-01T19:47:09Z",
"published": "2023-08-01T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26139"
},
{
"type": "WEB",
"url": "https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252"
},
{
"type": "PACKAGE",
"url": "https://github.com/jeeeyul/underscore-keypath"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "underscore-keypath vulnerable to Prototype Pollution"
}
GHSA-GR58-J5WH-M333
Vulnerability from github – Published: 2021-05-06 17:29 – Updated: 2021-05-05 21:33All versions of package nis-utils up to and including 0.6.10 are vulnerable to Prototype Pollution via the setValue function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nis-utils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7703"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T21:33:21Z",
"nvd_published_at": "2020-08-17T15:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package nis-utils up to and including 0.6.10 are vulnerable to Prototype Pollution via the setValue function.",
"id": "GHSA-gr58-j5wh-m333",
"modified": "2021-05-05T21:33:21Z",
"published": "2021-05-06T17:29:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7703"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-NISUTILS-598799"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in nis-utils"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.