CVE-2022-21824

CWE-471CWE-1321Prototype PollutionCWE-91510 documents8 sources
Severity
8.2HIGH
EPSS
0.7%
top 28.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Nodejs NodeNodejs Node.jsOracle Mysql Cluster+6 more
Timeline
PublishedFeb 24
Latest updateApr 15

Description

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype f

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages9 packages

CVEListV5nodejs/node4.04.*+13
NVDnodejs/node.js12.0.012.22.9+3
Debiannodejs< 12.22.12~dfsg-1~deb11u1+3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
GHSA-39wv-qjgj-4jxg: Due to the formatting logic of the "console2022-02-25
CVEList
CVE-2022-21824: Due to the formatting logic of the "console2022-02-24
OSV
CVE-2022-21824: Due to the formatting logic of the "console2022-02-24

📋Vendor Advisories

6
Oracle
Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud Manager (Node.js) — CVE-2022-218242023-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Policy (MySQL) — CVE-2022-218242023-01-15
Oracle
Oracle Oracle MySQL Risk Matrix: Cluster: General (Node.js) — CVE-2022-218242022-07-15
Microsoft
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with2022-02-08
Red Hat
nodejs: Prototype pollution via console.table properties2022-01-10