search

postmanlabs / newman

Newman is a command-line collection runner for Postman
https://www.postman.com
Apache License 2.0
6.83k stars 1.16k forks source link

CVE-2023-26136 for tough-cookie #3120

Closed mbashtovaya closed 1 year ago

mbashtovaya commented 1 year ago
  1. Newman Version (can be found via newman -v): 5.3.2
  2. OS details (type, version, and architecture): Ubuntu
  3. Are you using Newman as a library, or via the CLI? npm package
  4. Did you encounter this recently, or has this bug always been there: New CVE has been open on 2023-07-03 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26136
  5. Expected behaviour: Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.