CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
85.8%
Prototype pollution vulnerability in βshvlβ versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
The NPM module βshvlβ can be abused by Prototype Pollution vulnerability since the function βset()β did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.
The βset()β function accepts four arguments object, path, val, obj
. Due to the absence of validation, at values passed into path, val
arguments, an attacker can supply a malicious value by adjusting the path
value to include the __proto__
property. Since there is no validation before assigning property to check whether the assigned path
is the Objectβs own property or not, the property isAdmin
will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate isAdmin
the valued would be substituted as βtrueβ as it had been polluted.
const shvl = require('shvl');
var obj = {}
console.log("Before : " + obj.isAdmin);
shvl.set(obj, '__proto__.isAdmin', true);
console.log("After : " + obj.isAdmin);
1.0.0-2.0.1
There are a couple of ways to mitigate prototype pollution vulnerabilities, for example: Most of the cases can be solved by freezing an object which doesnβt allow to add, remove, or change its properties. Validating the JSON input with schema validation, this guarantees that the JSON input contains only predefined attributes. We can change the objects, so they wonβt have any prototype association by using βObject.createβ.
Vendor | Product | Version | CPE |
---|---|---|---|
shvl_project | shvl | * | cpe:2.3:a:shvl_project:shvl:*:*:*:*:*:node.js:*:* |
github.com/advisories/GHSA-pqwc-3vhw-qcvq
github.com/robinvdvleuten/shvl/commit/513c0848774dfb114ad0d0554abf7927cfdd569e
github.com/robinvdvleuten/shvl/issues/34
github.com/robinvdvleuten/shvl/pull/36
nvd.nist.gov/vuln/detail/CVE-2020-28278
web.archive.org/web/20210320222933/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28278
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
85.8%