Описание
Prototype Pollution in hoek
Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Recommendation
Update to version 4.2.1, 5.0.3 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-3728
- https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee
- https://github.com/hapijs/hoek/commit/5aed1a8c4a3d55722d1c799f2368857bf418d6df
- https://hackerone.com/reports/310439
- https://access.redhat.com/errata/RHSA-2018:1263
- https://access.redhat.com/errata/RHSA-2018:1264
- https://snyk.io/vuln/npm:hoek:20180212
- https://web.archive.org/web/20200227131737/https://www.securityfocus.com/bid/103108
Пакеты
hoek
>= 5.0.0, < 5.0.3
5.0.3
hoek
< 4.2.1
4.2.1
Связанные уязвимости
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Mo ...