Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2022–25878 #404

Merged
merged 1 commit into from Sep 21, 2022
Merged

Fix CVE–2022–25878 #404

merged 1 commit into from Sep 21, 2022

Conversation

debricked[bot]
Copy link
Contributor

@debricked debricked bot commented Sep 21, 2022

CVE–2022–25878

Vulnerable dependency:     protobufjs (npm)    6.11.2

Vulnerability details

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

NVD

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

GitHub

Prototype Pollution in protobufjs

The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.

This vulnerability can occur in multiple ways:

  1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
  2. by parsing/loading .proto files
CVSS details - 7.5

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None
References

    Prototype Pollution in protobufjs · CVE-2022-25878 · GitHub Advisory Database · GitHub
    NVD - CVE-2022-25878
    fix: do not let setProperty change the prototype (#1731) · protobufjs/protobuf.js@b5f1391 · GitHub
    THIRD PARTY
    fix: do not let setProperty change the prototype by alexander-fenster · Pull Request #1731 · protobufjs/protobuf.js · GitHub
    GitHub - protobufjs/protobuf.js: Protocol Buffers for JavaScript (& TypeScript).
    protobuf.js/util.js at d13d5d5688052e366aa2e9169f50dfca376b32cf · protobufjs/protobuf.js · GitHub
    chore(6.x): release 6.10.3 by github-actions[bot] · Pull Request #1735 · protobufjs/protobuf.js · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@suculent suculent merged commit de33f5d into thinx-staging Sep 21, 2022
@ghost
Copy link

ghost commented Sep 21, 2022

👇 Click on the image for a new way to code review

  • Make big changes easier — review code in small groups of related files

  • Know where to start — see the whole change at a glance

  • Take a code tour — explore the change with an interactive tour

  • Make comments and review — all fully sync’ed with github

    Try it now!

Review these changes using an interactive CodeSee Map

Legend

CodeSee Map Legend

@suculent suculent mentioned this pull request Nov 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@suculent