Headline
CVE-2021-23434: Fix prototype pollution when path components are not strings · mariocasciaro/object-path@7bdf4ab
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.
@@ -241,12 +241,18 @@ describe('set’, function () { objectPath.set({}, '__proto__.injected’, ‘this is bad’) expect(Object.prototype.injected).to.be.undefined
objectPath.set({}, [[‘__proto__’], ‘injected’], ‘this is bad’) expect(Object.prototype.injected).to.be.undefined
function Clazz() {} Clazz.prototype.test = ‘original’
objectPath.set(new Clazz(), '__proto__.test’, ‘this is bad’) expect(Clazz.prototype.test).to.be.equal(‘original’)
objectPath.set(new Clazz(), [[‘__proto__’], ‘test’], ‘this is bad’) expect(Clazz.prototype.test).to.be.equal(‘original’)
objectPath.set(new Clazz(), 'constructor.prototype.test’, ‘this is bad’) expect(Clazz.prototype.test).to.be.equal(‘original’) }) @@ -256,6 +262,11 @@ describe('set’, function () { .to.throw(‘For security reasons’) expect(Object.prototype.injected).to.be.undefined
expect(function() { objectPath.withInheritedProps.set({}, [[‘__proto__’], ‘injected’], ‘this is bad’) expect(Object.prototype.injected).to.be.undefined }).to.throw(‘For security reasons’)
function Clazz() {} Clazz.prototype.test = ‘original’
@@ -267,8 +278,11 @@ describe('set’, function () { .to.throw(‘For security reasons’) expect(Clazz.prototype.test).to.be.equal(‘original’)
const obj = {} expect(function() {objectPath.withInheritedProps.set(obj, 'constructor.prototype.injected’, ‘this is OK’)}) expect(function() {objectPath.withInheritedProps.set({}, 'constructor.prototype.injected’, ‘this is OK’)}) .to.throw(‘For security reasons’) expect(Object.prototype.injected).to.be.undefined
expect(function() {objectPath.withInheritedProps.set({}, [[‘constructor’], 'prototype’, ‘injected’], ‘this is bad’)}) .to.throw(‘For security reasons’) expect(Object.prototype.injected).to.be.undefined })
Related news
Ubuntu Security Notice 5967-1 - It was discovered that the set method in object-path could be corrupted as a result of prototype pollution by sending a message to the parent process. An attacker could use this issue to cause object-path to crash.
Red Hat Advanced Cluster Management for Kubernetes 2.3.3 General Availability release images, which fix bugs, provide security fixes, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3805: nodejs-object-path: prototype pollution vulnerability * CVE-2021-23017: nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name * CVE-2021-23434: object-path: Type confusion vulnerability can lead to a bypass of C...
Red Hat Advanced Cluster Management for Kubernetes 2.2.9 General Availability release images, which provide security updates, one or more container updates, and bug fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3795: semver-regex: inefficient regular expression complexity * CVE-2021-23017: nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name * CVE-2021-23434: object-path: Type confusion vulnerability can lead to ...