Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4742: Merge pull request #36 from hhomar/fix-prototype-pollution · manuelstofer/json-pointer@859c998

A vulnerability, which was classified as critical, has been found in json-pointer. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes (‘prototype pollution’). The attack may be launched remotely. The name of the patch is 859c9984b6c407fc2d5a0a7e47c7274daa681941. It is recommended to apply a patch to fix this issue. VDB-216794 is the identifier assigned to this vulnerability.

CVE
#vulnerability#js#perl

@@ -446,6 +446,15 @@ describe('convenience api wrapper’, function() {

expect(obj2.polluted).to.be.undefined();

});

it('should not set __proto__ (array)', function () {

var obj = {}, objPointer = pointer(obj);

expect(obj.polluted).to.be.undefined();

objPointer.set([[‘__proto__’], ‘polluted’], true);

expect(obj.polluted).to.be.undefined();

var obj2 = {};

expect(obj2.polluted).to.be.undefined();

});

it('should not set prototype’, function () {

var obj = {}, objPointer = pointer(obj);

expect(obj.polluted).to.be.undefined();

Related news

RHSA-2023:3815: Red Hat Security Advisory: Service Registry (container images) release and security update [2.4.3 GA]

An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK seriali...

GHSA-6xrf-q977-5vgc: json-pointer vulnerable to Prototype Pollution

A vulnerability, which was classified as critical, has been found in json-pointer. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The name of the patch is 859c9984b6c407fc2d5a0a7e47c7274daa681941. It is recommended to apply a patch to fix this issue. VDB-216794 is the identifier assigned to this vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907