2328904 – (CVE-2023-0163) CVE-2023-0163 Convict: Prototype Pollution in convict

Bug 2328904 (CVE-2023-0163) - CVE-2023-0163 Convict: Prototype Pollution in convict

Summary: CVE-2023-0163 Convict: Prototype Pollution in convict

Keywords:
Status:	NEW
Alias:	CVE-2023-0163
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-26 12:01 UTC by OSIDB Bzimport
Modified:	2024-11-26 15:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-11-26 12:01:15 UTC

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict.

This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.


The main use case of Convict is for handling server-side 
configurations written by the admins owning the servers, and not random 
users. So it's unlikely that an admin would deliberately sabotage their 
own server. Still, a situation can happen where an admin not 
knowledgeable about JavaScript could be tricked by an attacker into 
writing the malicious JavaScript code into some config files.



This issue affects Convict: before 6.2.4.

Note You need to log in before you can comment on or make changes to this bug.