CVE-2022-23631

Опубликовано: 09 фев. 2022

Источник: nvd

CVSS3: 9

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.

Ссылки

https://github.com/advisories/GHSA-5888-ffcr-r425
Exploit
Third Party Advisory
https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425
Exploit
Third Party Advisory
https://www.sonarsource.com/blog/blitzjs-prototype-pollution/
Exploit
Third Party Advisory
https://github.com/advisories/GHSA-5888-ffcr-r425
Exploit
Third Party Advisory
https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425
Exploit
Third Party Advisory
https://www.sonarsource.com/blog/blitzjs-prototype-pollution/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:blitzjs:blitz:*:*:*:*:*:node.js:*:*

Версия до 0.45.3 (исключая)

cpe:2.3:a:blitzjs:superjson:*:*:*:*:*:node.js:*:*

Версия до 1.8.1 (исключая)

EPSS

Процентиль: 60%

0.00398

Низкий

9 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94

CWE-1321

Связанные уязвимости

GHSA-5888-ffcr-r425

CVSS3: 9

github

почти 4 года назад

Prototype Pollution leading to Remote Code Execution in superjson

EPSS

Процентиль: 60%

0.00398

Низкий

9 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94

CWE-1321