CVE-2023-26158

{"id": "CVE-2023-26158", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2023-12-08T05:15:07.870", "references": [{"url": "https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755", "tags": ["Broken Link"], "source": "[email protected]"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1321"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).\r\rUser controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.\r\r Workaround\r\rBy using a denylist of dangerous attributes, this weakness can be eliminated.\r\rAdd the following line in the Util.extend function:\r\rjs\rjs if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\r\r\rjs\r// src/mock/handler.js\rUtil.extend = function extend() {\r var target = arguments[0] || {},\r i = 1,\r length = arguments.length,\r options, name, src, copy, clone\r\r if (length === 1) {\r target = this\r i = 0\r }\r\r for (; i < length; i++) {\r options = arguments[i]\r if (!options) continue\r\r for (name in options) {\r if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\r src = target[name]\r copy = options[name]\r\r if (target === copy) continue\r if (copy === undefined) continue\r\r if (Util.isArray(copy) || Util.isObject(copy)) {\r if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : []\r if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {}\r\r target[name] = Util.extend(clone, copy)\r } else {\r target[name] = copy\r }\r }\r }\r\r return target\r }\r"}, {"lang": "es", "value": "Todas las versiones del paquete mockjs son vulnerables a Prototype Pollution a trav\u00e9s de la funci\u00f3n Util.extend debido a que falta verificar si el atributo se resuelve en el prototipo del objeto. Al agregar o modificar atributos de un prototipo de objeto, es posible crear atributos que existen en cada objeto o reemplazar atributos cr\u00edticos por otros maliciosos. Esto puede resultar problem\u00e1tico si el software depende de la existencia o no de ciertos atributos, o utiliza atributos predefinidos del prototipo de objeto (como hasOwnProperty, toString o valueOf). Las entradas controladas por el usuario dentro del m\u00e9todo extend() de Mock.Handler, Mock.Random, Mock.RE.Handler o Mock.Util permitir\u00e1n a un atacante explotar esta vulnerabilidad. Como workaround al utilizar una lista de atributos peligrosos, se puede eliminar esta debilidad. Agregue la siguiente l\u00ednea en la funci\u00f3n Util.extend: js js if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue js // src/mock/handler.js Util.extend = function extend() { var target = arguments[0] || {}, i = 1, length = arguments.length, options, name, src, copy, clone if (length === 1) { target = this i = 0 } for (; i &lt; length; i++) { options = arguments[i] if (!options) continue for (name in options) { if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue src = target[name] copy = options[name] if (target === copy) continue if (copy === undefined) continue if (Util.isArray(copy) || Util.isObject(copy)) { if (Util.isArray(copy)) clone = src &amp;&amp; Util.isArray(src) ? src : [] if (Util.isObject(copy)) clone = src &amp;&amp; Util.isObject(src) ? src : {} target[name] = Util.extend(clone, copy) } else { target[name] = copy } } } return target } "}], "lastModified": "2024-11-21T07:50:54.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mockjs:mock.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "557CBFB9-9781-4F55-8E18-A318EF1AF35F", "versionEndIncluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}