CVE Vulnerability

CVE-2022-21803

This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://snyk.io/vuln/SNYK-JS-NCONF-2395478 Exploit Third Party Advisory
https://github.com/indexzero/nconf/releases/tag/v0.11.4 Release Notes Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450 Exploit Third Party Advisory
https://github.com/indexzero/nconf/pull/397 Issue Tracking Patch
Configurations

Configuration 1

cpe:2.3:a:nconf_project:nconf:*:*:*:*:*:node.js:*:*
Information

Published : 2022-04-12 04:15

Updated : 2022-04-20 02:07

NVD link : CVE-2022-21803

Mitre link : CVE-2022-21803

Products Affected
No products.
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')