Lucene search

GitHub_MCVELIST:CVE-2022-23631

HistoryFeb 09, 2022 - 9:55 p.m.

CVE-2022-23631 Prototype Pollution leading to Remote Code Execution in superjson

2022-02-0921:55:10

CWE-94

GitHub_M

www.cve.org

superjson

javascript expressions

remote code execution

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.006

Percentile

78.3%

JSON

superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.

CNA Affected

[
  {
    "vendor": "blitz-js",
    "product": "superjson",
    "versions": [
      {
        "version": "< 1.8.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/advisories/GHSA-5888-ffcr-r425

github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425

www.sonarsource.com/blog/blitzjs-prototype-pollution/

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.006

Percentile

78.3%

JSON

Related for CVELIST:CVE-2022-23631