CVE-2022-21803

{"id": "CVE-2022-21803", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-04-12T16:15:08.480", "references": [{"url": "https://github.com/indexzero/nconf/pull/397", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/indexzero/nconf/releases/tag/v0.11.4", "tags": ["Release Notes", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JS-NCONF-2395478", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/indexzero/nconf/pull/397", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/indexzero/nconf/releases/tag/v0.11.4", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JS-NCONF-2395478", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype."}, {"lang": "es", "value": "Esto afecta al paquete nconf versiones anteriores a 0.11.4. Cuando es usado el motor de memoria, es posible almacenar una representaci\u00f3n JSON anidada de la configuraci\u00f3n. La funci\u00f3n .set(), que es encargada de establecer las propiedades de la configuraci\u00f3n, es vulnerable a una contaminaci\u00f3n de prototipos. Al proporcionar una propiedad dise\u00f1ada, es posible modificar las propiedades en el Object.prototype"}], "lastModified": "2024-11-21T06:45:28.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nconf_project:nconf:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AE5C38D2-0CAD-43B8-AF82-F0BCF53A921B", "versionEndExcluding": "0.11.4"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}