CVE-2022-21190 (High) detected in convict-6.0.0.tgz #39
Description
CVE-2022-21190 - High Severity Vulnerability
Vulnerable Library - convict-6.0.0.tgz
Featureful configuration management library for Node.js (nested structure, schema validation, etc.)
Library home page: https://registry.npmjs.org/convict/-/convict-6.0.0.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/convict/package.json
Dependency Hierarchy:
- cli-2.3.3.tgz (Root Library)
- playbook-builder-2.3.3.tgz
- ❌ convict-6.0.0.tgz (Vulnerable Library)
- playbook-builder-2.3.3.tgz
Found in HEAD commit: 787d550ab037fd249932a79fcb37a055e556301e
Found in base branch: master
Vulnerability Details
This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.proto or foo.this.constructor.prototype.
Publish Date: 2022-05-13
URL: CVE-2022-21190
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: mozilla/node-convict#384
Release Date: 2022-05-13
Fix Resolution (convict): 6.2.3
Direct dependency fix Resolution (@antora/cli): 3.0.0-alpha.10
- Check this box to open an automated fix PR