mahawiki / BackToBasics-Hacktoberfest

Hacktoberfest community repository. In this repository, you can find all the resources you need to get start your career in tech industry.
GNU General Public License v3.0
6 stars 7 forks source link

[ VULNERABILITY ] Prototype pollution in yargs-parser #3

Open APratham opened 4 years ago

APratham commented 4 years ago

Describe the vulnerability Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.

Where is it? Upgrade yargs-parser to 13.1.2, 15.0.1, 18.1.1 or later in ../microservices/package-lock.json

Risk involved This is only exploitable if attackers have control over the arguments being passed to yargs-parser, making it a low risk vulnerability.

Database GHSA-p9pc-299p-vxgp

Expected behavior The containers will still compile there is no issue with that. But the application will be vulnerable to prototype pollution.

Additional context