CVE-2023-0163 (GCVE-0-2023-0163)

Vulnerability from cvelistv5 – Published: 2024-11-26 11:36 – Updated: 2024-11-27 16:02
VLAI?
Title
Prototype Pollution in convict
Summary
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still, a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files. This issue affects Convict: before 6.2.4.
Severity ?
8.4 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
Vendor Product Version
Mozilla Convict Affected: 0 , < 6.2.4 (semver)
Create a notification for this product.
Credits
Captain-K-101
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mozilla:convict:-:*:*:*:*:node.js:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "convict",
            "vendor": "mozilla",
            "versions": [
              {
                "lessThan": "6.2.4",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-0163",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-27T15:59:57.809994Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-27T16:02:29.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Convict",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "6.2.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "Captain-K-101"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) vulnerability in Mozilla Convict.\u003c/p\u003e\u003cp\u003eThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\n\u003c/p\u003e\u003cdiv\u003e\u003cp\u003eThe main use case of Convict is for handling server-side \nconfigurations written by the admins owning the servers, and not random \nusers. So it\u0027s unlikely that an admin would deliberately sabotage their \nown server. Still, a situation can happen where an admin not \nknowledgeable about JavaScript could be tricked by an attacker into \nwriting the malicious JavaScript code into some config files.\u003c/p\u003e\u003c/div\u003e\u003cp\u003eThis issue affects Convict: before 6.2.4.\u003c/p\u003e"
            }
          ],
          "value": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) vulnerability in Mozilla Convict.\n\nThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\n\n\nThe main use case of Convict is for handling server-side \nconfigurations written by the admins owning the servers, and not random \nusers. So it\u0027s unlikely that an admin would deliberately sabotage their \nown server. Still, a situation can happen where an admin not \nknowledgeable about JavaScript could be tricked by an attacker into \nwriting the malicious JavaScript code into some config files.\n\n\n\nThis issue affects Convict: before 6.2.4."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-26T11:36:26.574Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/mozilla/node-convict/issues/410"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Prototype Pollution in convict",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2023-0163",
    "datePublished": "2024-11-26T11:36:26.574Z",
    "dateReserved": "2023-01-10T18:24:38.341Z",
    "dateUpdated": "2024-11-27T16:02:29.836Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) vulnerability in Mozilla Convict.\\n\\nThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\\n\\n\\nThe main use case of Convict is for handling server-side \\nconfigurations written by the admins owning the servers, and not random \\nusers. So it\u0027s unlikely that an admin would deliberately sabotage their \\nown server. Still, a situation can happen where an admin not \\nknowledgeable about JavaScript could be tricked by an attacker into \\nwriting the malicious JavaScript code into some config files.\\n\\n\\n\\nThis issue affects Convict: before 6.2.4.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de modificaci\\u00f3n controlada incorrectamente de atributos de prototipos de objetos (\\\"contaminaci\\u00f3n de prototipos\\\") en Mozilla Convict. Esto permite a un atacante inyectar atributos que se utilizan en otros componentes o anular atributos existentes con otros que tienen un tipo incompatible, lo que puede provocar un bloqueo. El principal caso de uso de Convict es para gestionar configuraciones del lado del servidor escritas por los administradores que poseen los servidores y no por usuarios aleatorios. Por lo tanto, es poco probable que un administrador saboteara deliberadamente su propio servidor. Aun as\\u00ed, puede ocurrir una situaci\\u00f3n en la que un administrador que no tenga conocimientos de JavaScript pueda ser enga\\u00f1ado por un atacante para que escriba el c\\u00f3digo JavaScript malicioso en algunos archivos de configuraci\\u00f3n. Este problema afecta a Convict: antes de la versi\\u00f3n 6.2.4.\"}]",
      "id": "CVE-2023-0163",
      "lastModified": "2024-11-27T16:15:06.757",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 5.9}]}",
      "published": "2024-11-26T12:15:17.390",
      "references": "[{\"url\": \"https://github.com/mozilla/node-convict/issues/410\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf\", \"source\": \"security@mozilla.org\"}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@mozilla.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1321\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-0163\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2024-11-26T12:15:17.390\",\"lastModified\":\"2025-10-15T17:51:38.243\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) vulnerability in Mozilla Convict.\\n\\nThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\\n\\n\\nThe main use case of Convict is for handling server-side \\nconfigurations written by the admins owning the servers, and not random \\nusers. So it\u0027s unlikely that an admin would deliberately sabotage their \\nown server. Still, a situation can happen where an admin not \\nknowledgeable about JavaScript could be tricked by an attacker into \\nwriting the malicious JavaScript code into some config files.\\n\\n\\n\\nThis issue affects Convict: before 6.2.4.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de modificaci\u00f3n controlada incorrectamente de atributos de prototipos de objetos (\\\"contaminaci\u00f3n de prototipos\\\") en Mozilla Convict. Esto permite a un atacante inyectar atributos que se utilizan en otros componentes o anular atributos existentes con otros que tienen un tipo incompatible, lo que puede provocar un bloqueo. El principal caso de uso de Convict es para gestionar configuraciones del lado del servidor escritas por los administradores que poseen los servidores y no por usuarios aleatorios. Por lo tanto, es poco probable que un administrador saboteara deliberadamente su propio servidor. Aun as\u00ed, puede ocurrir una situaci\u00f3n en la que un administrador que no tenga conocimientos de JavaScript pueda ser enga\u00f1ado por un atacante para que escriba el c\u00f3digo JavaScript malicioso en algunos archivos de configuraci\u00f3n. Este problema afecta a Convict: antes de la versi\u00f3n 6.2.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@mozilla.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:convict:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.2.4\",\"matchCriteriaId\":\"BC60C785-948E-48D0-9A6B-F9BEA49B9B18\"}]}]}],\"references\":[{\"url\":\"https://github.com/mozilla/node-convict/issues/410\",\"source\":\"security@mozilla.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-0163\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-27T15:59:57.809994Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:mozilla:convict:-:*:*:*:*:node.js:*:*\"], \"vendor\": \"mozilla\", \"product\": \"convict\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.2.4\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-27T16:02:22.541Z\"}}], \"cna\": {\"title\": \"Prototype Pollution in convict\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Captain-K-101\"}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Convict\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.2.4\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://github.com/mozilla/node-convict/issues/410\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) vulnerability in Mozilla Convict.\\n\\nThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\\n\\n\\nThe main use case of Convict is for handling server-side \\nconfigurations written by the admins owning the servers, and not random \\nusers. So it\u0027s unlikely that an admin would deliberately sabotage their \\nown server. Still, a situation can happen where an admin not \\nknowledgeable about JavaScript could be tricked by an attacker into \\nwriting the malicious JavaScript code into some config files.\\n\\n\\n\\nThis issue affects Convict: before 6.2.4.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eImproperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) vulnerability in Mozilla Convict.\u003c/p\u003e\u003cp\u003eThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\\n\u003c/p\u003e\u003cdiv\u003e\u003cp\u003eThe main use case of Convict is for handling server-side \\nconfigurations written by the admins owning the servers, and not random \\nusers. So it\u0027s unlikely that an admin would deliberately sabotage their \\nown server. Still, a situation can happen where an admin not \\nknowledgeable about JavaScript could be tricked by an attacker into \\nwriting the malicious JavaScript code into some config files.\u003c/p\u003e\u003c/div\u003e\u003cp\u003eThis issue affects Convict: before 6.2.4.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2024-11-26T11:36:26.574Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-0163\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-27T16:02:29.836Z\", \"dateReserved\": \"2023-01-10T18:24:38.341Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2024-11-26T11:36:26.574Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.