CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-JJF7-VP9P-J843
Vulnerability from github – Published: 2024-03-15 15:30 – Updated: 2024-03-15 15:30Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data.
{
"affected": [],
"aliases": [
"CVE-2024-2495"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-15T13:15:09Z",
"severity": "MODERATE"
},
"details": "Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data.",
"id": "GHSA-jjf7-vp9p-j843",
"modified": "2024-03-15T15:30:43Z",
"published": "2024-03-15T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2495"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/cryptographic-key-plain-text-vulnerability-friendlyelecs-friendlywrt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJFF-Q3Q4-5HH8
Vulnerability from github – Published: 2024-04-18 15:30 – Updated: 2026-06-11 14:14An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@andrei-tatar/nora-firebase-common"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.41"
},
{
"fixed": "1.12.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-30564"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-18T16:58:17Z",
"nvd_published_at": "2024-04-18T15:15:30Z",
"severity": "CRITICAL"
},
"details": "An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method.",
"id": "GHSA-jjff-q3q4-5hh8",
"modified": "2026-06-11T14:14:49Z",
"published": "2024-04-18T15:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30564"
},
{
"type": "WEB",
"url": "https://github.com/andrei-tatar/nora-firebase-common/issues/9"
},
{
"type": "WEB",
"url": "https://github.com/andrei-tatar/nora-firebase-common/commit/bf30b75d51be04f6c1f884561a223226c890f01b"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/5dc2c948c2057f98d3de0a9790903c6c"
},
{
"type": "PACKAGE",
"url": "https://github.com/andrei-tatar/nora-firebase-common"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability"
}
GHSA-JP4X-W63M-7WGM
Vulnerability from github – Published: 2018-04-26 15:25 – Updated: 2025-05-29 22:49Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Recommendation
Update to version 4.2.1, 5.0.3 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hoek"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "hoek"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3728"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:43:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require(\u0027hoek\u0027);\nvar malicious_payload = \u0027{\"__proto__\":{\"oops\":\"It works !\"}}\u0027;\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.\n\n\n## Recommendation\n\nUpdate to version 4.2.1, 5.0.3 or later.",
"id": "GHSA-jp4x-w63m-7wgm",
"modified": "2025-05-29T22:49:49Z",
"published": "2018-04-26T15:25:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3728"
},
{
"type": "WEB",
"url": "https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee"
},
{
"type": "WEB",
"url": "https://github.com/hapijs/hoek/commit/5aed1a8c4a3d55722d1c799f2368857bf418d6df"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/310439"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1263"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1264"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapijs/hoek"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/npm:hoek:20180212"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227131737/https://www.securityfocus.com/bid/103108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in hoek"
}
GHSA-JPQ3-XF27-5JF2
Vulnerability from github – Published: 2021-05-06 18:26 – Updated: 2021-05-04 23:40All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "safe-object2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7726"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-04T23:40:42Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.",
"id": "GHSA-jpq3-xf27-5jf2",
"modified": "2021-05-04T23:40:42Z",
"published": "2021-05-06T18:26:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7726"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SAFEOBJECT2-598801"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in safe-object2"
}
GHSA-JV35-XQG7-F92R
Vulnerability from github – Published: 2021-06-21 17:16 – Updated: 2023-09-13 20:02Prototype pollution vulnerability in ‘set-getter’ version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "set-getter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25949"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-14T19:22:58Z",
"nvd_published_at": "2021-06-10T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u2018set-getter\u2019 version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-jv35-xqg7-f92r",
"modified": "2023-09-13T20:02:47Z",
"published": "2021-06-21T17:16:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25949"
},
{
"type": "WEB",
"url": "https://github.com/doowb/set-getter/commit/66eb3f0d4686a4a8c7c3d6f7ecd8e570b580edc4"
},
{
"type": "PACKAGE",
"url": "https://github.com/doowb/set-getter"
},
{
"type": "WEB",
"url": "https://github.com/doowb/set-getter/blob/5bc2750fe1c3db9651d936131be187744111378d/index.js#L56"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210615022308/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25949"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "set-getter Prototype Pollution Vulnerability"
}
GHSA-JVF5-Q4H5-2JMJ
Vulnerability from github – Published: 2021-05-06 17:28 – Updated: 2021-05-05 21:41madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "madlib-object-utils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7701"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T21:41:45Z",
"nvd_published_at": "2020-08-14T15:15:00Z",
"severity": "CRITICAL"
},
"details": "madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.",
"id": "GHSA-jvf5-q4h5-2jmj",
"modified": "2021-05-05T21:41:45Z",
"published": "2021-05-06T17:28:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7701"
},
{
"type": "WEB",
"url": "https://github.com/Qwerios/madlib-object-utils/commit/2a8d5be4fddfe46b69fbe25b9ebdff49a54481a8"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in madlib-object-utils"
}
GHSA-JVWF-75H9-CWGG
Vulnerability from github – Published: 2026-05-12 15:01 – Updated: 2026-05-14 20:35Summary
protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality.
Impact
An attacker who can provide or influence protobuf schemas or JSON descriptors may be able to corrupt built-in process state in a way that causes subsequent application code or protobufjs code to fail. This can result in a persistent denial of service for the lifetime of the affected process.
This issue affects applications that parse or load protobuf schemas or descriptors from untrusted sources. Applications that use bundled, generated, or otherwise trusted schemas to decode untrusted protobuf message payloads are not directly affected.
The issue is not known to allow code execution by itself.
Preconditions
- The application must allow an attacker to control or influence a protobuf schema or JSON descriptor.
- The application must parse or load that schema through protobufjs reflection APIs such as
parse,Root.load,Root.loadSync, orRoot.fromJSON. - The crafted input must contain option paths that reach unsafe inherited properties during option processing.
Workarounds
Do not parse or load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or reject option names containing unsafe property path components before loading them, and run schema processing in an isolated process.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.5"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.1"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44290"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T15:01:13Z",
"nvd_published_at": "2026-05-13T16:16:55Z",
"severity": "HIGH"
},
"details": "## Summary\n\nprotobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality.\n\n## Impact\n\nAn attacker who can provide or influence protobuf schemas or JSON descriptors may be able to corrupt built-in process state in a way that causes subsequent application code or protobufjs code to fail. This can result in a persistent denial of service for the lifetime of the affected process.\n\nThis issue affects applications that parse or load protobuf schemas or descriptors from untrusted sources. Applications that use bundled, generated, or otherwise trusted schemas to decode untrusted protobuf message payloads are not directly affected.\n\nThe issue is not known to allow code execution by itself.\n\n## Preconditions\n\n- The application must allow an attacker to control or influence a protobuf schema or JSON descriptor.\n- The application must parse or load that schema through protobufjs reflection APIs such as `parse`, `Root.load`, `Root.loadSync`, or `Root.fromJSON`.\n- The crafted input must contain option paths that reach unsafe inherited properties during option processing.\n\n## Workarounds\n\nDo not parse or load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or reject option names containing unsafe property path components before loading them, and run schema processing in an isolated process.",
"id": "GHSA-jvwf-75h9-cwgg",
"modified": "2026-05-14T20:35:12Z",
"published": "2026-05-12T15:01:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44290"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "protobuf.js: Process-wide denial of service through unsafe option paths"
}
GHSA-JX5Q-G37M-H5HJ
Vulnerability from github – Published: 2022-01-06 18:29 – Updated: 2022-01-04 22:46Summary
By sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution.
Workarounds
Configure WAF to drop requests containing next strings: __proto__ , constructor[prototype], constructor.prototype
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "oro/platform"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "oro/platform"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43852"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-04T22:46:13Z",
"nvd_published_at": "2022-01-04T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nBy sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution.\n\n### Workarounds\n\nConfigure WAF to drop requests containing next strings: `__proto__` , `constructor[prototype]`, `constructor.prototype`",
"id": "GHSA-jx5q-g37m-h5hj",
"modified": "2022-01-04T22:46:13Z",
"published": "2022-01-06T18:29:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43852"
},
{
"type": "WEB",
"url": "https://github.com/oroinc/platform/commit/62c26936b3adee9c20255dcd9f8ee5c299b464a9"
},
{
"type": "PACKAGE",
"url": "https://github.com/oroinc/platform"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Client-Side JavaScript Prototype Pollution in oro/platform"
}
GHSA-JXFH-8WGV-VFR2
Vulnerability from github – Published: 2020-03-10 18:03 – Updated: 2022-02-08 22:06In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution.
Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dojo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "dojo"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "dojo"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "dojo"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "dojo"
},
"ranges": [
{
"events": [
{
"introduced": "1.15.0"
},
{
"fixed": "1.15.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "dojo"
},
"ranges": [
{
"events": [
{
"introduced": "1.16.0"
},
{
"fixed": "1.16.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5258"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-74",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2020-03-10T18:02:00Z",
"nvd_published_at": "2020-03-10T18:15:00Z",
"severity": "HIGH"
},
"details": "In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution.\n\nPrototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.\nAn attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. \n\nThis has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2",
"id": "GHSA-jxfh-8wgv-vfr2",
"modified": "2022-02-08T22:06:45Z",
"published": "2020-03-10T18:03:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5258"
},
{
"type": "WEB",
"url": "https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d"
},
{
"type": "PACKAGE",
"url": "https://github.com/dojo/dojo"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b@%3Cusers.qpid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3@%3Cusers.qpid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00@%3Cusers.qpid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in dojo"
}
GHSA-JXVF-M3X5-MXWQ
Vulnerability from github – Published: 2022-07-19 14:28 – Updated: 2022-08-10 23:53Properties-Reader prior to version 2.2.0 is vulnerable to prototype pollution. Version 2.2.0 contains a patch for this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "properties-reader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28471"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-19T14:28:59Z",
"nvd_published_at": "2022-07-25T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Properties-Reader prior to version 2.2.0 is vulnerable to prototype pollution. Version 2.2.0 contains a patch for this issue.",
"id": "GHSA-jxvf-m3x5-mxwq",
"modified": "2022-08-10T23:53:55Z",
"published": "2022-07-19T14:28:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28471"
},
{
"type": "WEB",
"url": "https://github.com/steveukx/properties/issues/40"
},
{
"type": "WEB",
"url": "https://github.com/steveukx/properties/commit/0877cc871db9865f58dd9389ce99e61be05380a5"
},
{
"type": "WEB",
"url": "https://github.com/steveukx/properties/commit/4e4bc392ecfd0a128f48c1d69f64a0d7194fcaab"
},
{
"type": "PACKAGE",
"url": "https://github.com/steveukx/properties"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-PROPERTIESREADER-1048968"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Properties-Reader before v2.2.0 vulnerable to prototype pollution"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.