CVE-2023-36665

Опубликовано: 05 июл. 2023

Источник: redhat

CVSS3: 8.6

EPSS Низкий

Описание

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

A flaw was found in the protobuf.js. The affected versions of protobuf.js could allow a remote attacker to execute arbitrary code on the system caused by prototype pollution. By sending a specially crafted message, an attacker can execute arbitrary code on the system.

Отчет

For Red Hat Enterprise Linux, Protobufjs in Grafana are used for communication with trusted sources (prometheus/openmetrics scraping), end-user communication is over HTTP. While this CVE is in Grafana (rhel-8, rhel-9), it will be resolved via a Grafana rebase. Hence, it is marked as wontfix.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Ceph Storage 6	ceph	Not affected
Red Hat Ceph Storage 6	grafana	Affected
Red Hat Enterprise Linux 8	grafana	Will not fix
Red Hat Enterprise Linux 9	grafana	Will not fix
Red Hat OpenShift Container Platform 4	openshift4/ose-console	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-1321

https://bugzilla.redhat.com/show_bug.cgi?id=2220812protobufjs: prototype pollution using user-controlled protobuf message

EPSS

Процентиль: 82%

0.01673

Низкий

8.6 High

CVSS3

Связанные уязвимости

CVE-2023-36665

CVSS3: 9.8

nvd

больше 2 лет назад

GHSA-h755-8qp9-cq85