CVE-2022-21803 Information

Description

This affects the package nconf before 0.11.4. When using the memory engine it is possible to store a nested JSON representation of the configuration. The .set() function that is responsible for setting the configuration properties is vulnerable to Prototype Pollution. By providing a crafted property it is possible to modify the properties on the Object.prototype.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://snyk.io/vuln/SNYK-JS-NCONF-2395478 https://github.com/indexzero/nconf/releases/tag/v0.11.4 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450 https://github.com/indexzero/nconf/pull/397

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5