Lucene search

GitHub Advisory DatabaseGHSA-WWXH-74FX-33C6

HistoryMay 01, 2023 - 2:01 p.m.

Possible prototype pollution in metadata record, when using meta decorator

2023-05-0114:01:02

CWE-1321

GitHub Advisory Database

github.com

possibleprototypepollution

metadatarecord

metadecorator

aedartsupport

vulnerability

version061

sensitivenaturestorage

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

32.3%

JSON

Impact

Possible prototype pollution for the MetadataRecord, when merged with a base class’ metadata object, in meta decorator from the @aedart/support package.

The likelihood is questionable, given that a class’ metadata can only be set or altered when the class is decorated via meta(). Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.

Patches

Has been patched in version 0.6.1.

Affected configurations

Vulners

Node

aedartsupportRange<0.6.1

VendorProductVersionCPE
aedartsupport*cpe:2.3:a:aedart:support:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
aedart	support	*	cpe:2.3:a:aedart:support::::::::

References

github.com/advisories/GHSA-wwxh-74fx-33c6

github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291

github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

nvd.nist.gov/vuln/detail/CVE-2023-30857

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

32.3%

JSON

Related for GHSA-WWXH-74FX-33C6