CVE-2023-0163Prototype Pollution in Mozilla Convict

CWE-1321Prototype Pollution4 documents4 sources
Severity
8.4HIGHNVD
EPSS
0.1%
top 74.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Convict
Timeline
PublishedNov 26

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabota

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages3 packages

CVEListV5mozilla/convict< 6.2.4
NVDmozilla/convict< 6.2.4
npmmozilla/convict< 6.2.4

🔴Vulnerability Details

3
CVEList
Prototype Pollution in convict2024-11-26
GHSA
convict vulnerable to Prototype Pollution2023-01-10
OSV
convict vulnerable to Prototype Pollution2023-01-10
CVE-2023-0163 — Prototype Pollution in Mozilla Convict | cvebase