JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 version 2.2.2 and later. https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h https://github.com/json5/json5/issues/199 https://github.com/json5/json5/issues/295
Created cockatrice tracking bugs for this issue: Affects: fedora-36 [bug 2162374] Created fawkes tracking bugs for this issue: Affects: fedora-36 [bug 2162375] Created golang-entgo-ent tracking bugs for this issue: Affects: fedora-36 [bug 2162376] Created golang-github-apache-beam-2 tracking bugs for this issue: Affects: fedora-36 [bug 2162377] Created golang-github-flynn-json5 tracking bugs for this issue: Affects: fedora-36 [bug 2162378] Affects: fedora-37 [bug 2162391] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2162370] Created golang-github-zyedidia-json5 tracking bugs for this issue: Affects: fedora-36 [bug 2162379] Affects: fedora-37 [bug 2162392] Created grafana tracking bugs for this issue: Affects: fedora-36 [bug 2162380] Created micro tracking bugs for this issue: Affects: epel-8 [bug 2162371] Affects: fedora-36 [bug 2162381] Affects: fedora-37 [bug 2162393] Created mozjs68 tracking bugs for this issue: Affects: fedora-36 [bug 2162382] Created mozjs78 tracking bugs for this issue: Affects: fedora-36 [bug 2162383] Created pcs tracking bugs for this issue: Affects: fedora-36 [bug 2162384] Affects: fedora-37 [bug 2162394] Created pgadmin4 tracking bugs for this issue: Affects: fedora-37 [bug 2162395] Created python-ipyparallel tracking bugs for this issue: Affects: fedora-36 [bug 2162385] Affects: fedora-37 [bug 2162396] Created python-json5 tracking bugs for this issue: Affects: epel-8 [bug 2162372] Affects: fedora-36 [bug 2162386] Affects: fedora-37 [bug 2162397] Created rust-json5 tracking bugs for this issue: Affects: fedora-36 [bug 2162387] Affects: fedora-37 [bug 2162398] Created seamonkey tracking bugs for this issue: Affects: epel-8 [bug 2162373] Affects: fedora-36 [bug 2162388] Created yarnpkg tracking bugs for this issue: Affects: fedora-36 [bug 2162389] Affects: fedora-37 [bug 2162399] Created zuul tracking bugs for this issue: Affects: fedora-36 [bug 2162390]
Also fixed in 1.0.2 [1]. [1] https://github.com/json5/json5/issues/295#issuecomment-1368766058
(In reply to Avinash Hanwate from comment #12) > Created rust-json5 tracking bugs for this issue: > > Affects: fedora-36 [bug 2162387] > Affects: fedora-37 [bug 2162398] The json5 crate (https://crates.io/crates/json5) is independent, and a CWE like Prototype Pollution isn't possible in a static language like Rust anyway. I suspect the golang and Python packages are similarly independent, but I haven't confirmed that.
This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:0634 https://access.redhat.com/errata/RHSA-2023:0634
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-46175
This issue has been addressed in the following products: MTA-6.0-RHEL-8 Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428
This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742