New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
denial of service and may lead to remote code execution vulnerability #19
Comments
Please provide some code to demonstrate/reproduce the issue you're having. |
I think like others we only get the notification that there is a problem with this line 71 described in mdeknowis post. Whitesource: https://www.whitesourcesoftware.com/vulnerability-database/ But there are no more informations :( |
Thanks @BLoeT. Since the PoC Code doesn't actually show checking another object to see if the prototype has been modified, this shouldn't be a valid issue: const Cache = require('cache-base');
const cache = new Cache();
const anotherObject = {};
cache.set('__proto__.polluted', 'true');
console.log(anotherObject.polluted);
// undefined If this was a valid security issue, then //cc @whitesource @rarkins how do we get this addressed in the whitesource database? |
Hi Brian (@doowb) we are trying to reach you and your team for the past two months, please check your mail and spam, there you can find a detail report, we can discuss this issue and figure out together what should be our next steps. @BLoeT at this time you can see the details about this vulnerability here - https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28275 . and here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28275 Thanks, |
@danielelkabes please see the comment above. The underlying |
@danielelkabes I found your email from today and responded. I never received the original email with a report, so I'm not able to speak to anything other than what's in the linked CVE. If there is more, I'm happy to have a discussion so we can create a reproducible test case and provide a fix. @rarkins thank you for pointing to |
It'd be great if a potential patch could be backported to older versions, including v1. Our project refers to |
Hi Brian (@doowb) after our additional discussions and review regarding this issue, we have agreed that there is no vulnerability here, and that you are indeed sanitizing the key value correctly within set-value package dependency. Thanks for your assistance in resolving this, it is much appreciated! |
Here is a repro which allows to pollute the prototype: const Cache = require("cache-base");
const c = new Cache("cache");
const key = "__proto__"; // <- This need to be user controlled
const entry = c.get(key);
entry.hello = "polluted";
console.log({}.hello); |
@danielelkabes Are you with Whitesource? Can we expect that you revoke the CVE and will not alert any further findings with Whitesource code checks? |
@sokra that prototype pollution appears to come from Both v3 and v4 of @danielelkabes will assess whether to update the description of the existing CVE or if it's more appropriate to issue a new one |
@snipem our comments crossed paths. There is a vulnerability remaining in this library although it's possible the existing CVE will be rejected and a new one issued for |
Thank you @danielelkabes for looking into this further. I'm going to close this issue and we can discuss |
Note there are a few more related (security) issues:
|
@rarkins Wow that was quick. Our on-premise installation removed the vulnerability just minutes after our discussion. Thanks. |
@sokra I agree with you that there are some other bugs/issues. I don't believe all of those are necessarily security related due to the difference in developer/implementor vs user supplied inputs. Also, PRs are welcome with fixes for these bugs ;) |
any update on resolving this? still being reported via npm |
I'm not sure which DB npm uses but the CVE has been rejected officially: https://nvd.nist.gov/vuln/detail/CVE-2020-28275 I also don't see it here: https://www.npmjs.com/advisories |
According to https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2020-28275 there is a
in
cache-base/index.js
Line 71 in e4d50b7
There seems to be a CVE already assigned: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28275
Any chance to get this fixed?
The text was updated successfully, but these errors were encountered: