search

OS2iot / OS2iot-backend

This repository contains the backend to the project OS2iot.
Mozilla Public License 2.0
10 stars 7 forks source link

Fix CVE–2021–44906 #187

Closed debricked[bot] closed 1 year ago

debricked[bot] commented 2 years ago

CVE–2021–44906

Vulnerable dependency:     minimist (npm)    1.2.5

Vulnerability details

Description ### NVD > Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). ### GitHub > Prototype Pollution in minimist > > Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS details - 9.8   |CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**None**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**High**| |Integrity|**High**| |Availability|**High**|
References     [Prototype Pollution in minimist · CVE-2021-44906 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-xvch-5gv4-984h)[](https://github.com/advisories/GHSA-xvch-5gv4-984h)     [NVD - CVE-2021-44906](https://nvd.nist.gov/vuln/detail/CVE-2021-44906)[](https://nvd.nist.gov/vuln/detail/CVE-2021-44906)     [insufficient fix for prototype pollution in setKey() CVE-2021-44906 · Issue #164 · substack/minimist · GitHub](https://github.com/substack/minimist/issues/164)[](https://github.com/substack/minimist/issues/164)     [minimist/index.js at master · substack/minimist · GitHub](https://github.com/substack/minimist/blob/master/index.js#L69)[](https://github.com/substack/minimist/blob/master/index.js#L69)     [javascript - Adding custom properties to a function - Stack Overflow](https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068)[](https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068)     [JavaScript-vulnerability-detection/minimist PoC.zip at main · Marynk/JavaScript-vulnerability-detection · GitHub](https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip)[](https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip)     [don't assign onto __proto__ · substack/minimist@63e7ed0 · GitHub](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)[](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)     [even more aggressive checks for protocol pollution · substack/minimist@38a4d1c · GitHub](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)[](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)

 

Related information

:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE

 

AramAlsabti commented 1 year ago

@nestjs/cli was downgraded to keep this focused on mqtt. It will be bumped in #200