GHSA-9w5f-mw3p-pj47

Опубликовано: 03 нояб. 2023

Источник: github

Github: Прошло ревью

CVSS3: 7.3

Описание

Prototype Pollution(PP) vulnerability in setByPath

Summary

There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE.

Details

//https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277 // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access objectToSet[lastKey] = value

In this code, there is no validation for Prototpye Pollution.

PoC

import { getByPath, setByPath } from '@clickbar/dot-diver' console.log({}.polluted); // undefined setByPath({},'constructor.prototype.polluted', 'foo'); console.log({}.polluted); // foo

Impact

It is Prototype Pollution(PP) and it can leads to Dos, RCE, etc.

Credits

Team : NodeBoB

최지혁 ( Jihyeok Choi )

이동하 ( Lee Dong Ha of ZeroPointer Lab )

강성현 ( kang seonghyeun )

박성진 ( sungjin park )

김찬호 ( Chanho Kim )

이수영 ( Lee Su Young )

김민욱 ( MinUk Kim )

Ссылки

Пакеты

Наименование

@clickbar/dot-diver

npm

Затронутые версииВерсия исправления

< 1.0.2

1.0.2

EPSS

Процентиль: 92%

0.08398

Низкий

7.3 High

CVSS3

CVE ID

CVE-2023-45827

Дефекты

CWE-1321

Связанные уязвимости

CVE-2023-45827

CVSS3: 7.3

nvd

больше 2 лет назад

Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.

BDU:2024-01227

CVSS3: 9.8

fstec

больше 2 лет назад

Уязвимость библиотеки dot-diver, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 92%

0.08398

Низкий

7.3 High

CVSS3

CVE ID

CVE-2023-45827

Дефекты

CWE-1321