CVE-2022-21803

Prototype Pollution

CVSS 7.3 HIGHEPSS 1.7%

This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

Productos afectados

n/a · nconf

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/indexzero/nconf/pull/397 https://github.com/indexzero/nconf/releases/tag/v0.11.4 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450 https://snyk.io/vuln/SNYK-JS-NCONF-2395478