Bug 2093111 (CVE-2022-25878) - CVE-2022-25878 protobufjs: Prototype Pollution via util.setProperty or ReflectionObject.setParsedOption methods
Summary: CVE-2022-25878 protobufjs: Prototype Pollution via util.setProperty or Reflec...
Keywords:
Status: NEW
Alias: CVE-2022-25878
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2093141 2096503 2096504 2096505 2096506
Blocks: 2093110
TreeView+ depends on / blocked
 
Reported: 2022-06-02 23:42 UTC by Todd Cullum
Modified: 2023-07-07 08:35 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in protobufjs, where it is vulnerable to Prototype Pollution, allowing an attacker to add/modify properties of the Object.prototype. This vulnerability can occur by providing untrusted user input to the util.setProperty or to the ReflectionObject.setParsedOption functions, and also by parsing/loading .proto files.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Todd Cullum 2022-06-02 23:42:50 UTC 
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

https://github.com/protobufjs/protobuf.js/pull/1731
https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197
https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f
https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507
Comment 3 Sandipan Roy 2022-06-14 04:37:05 UTC 
Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2096506]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2096505]
Note You need to log in before you can comment on or make changes to this bug.