CVE-2022-21190 (High) detected in convict-6.0.0.tgz

[mend-for-github-com[bot]]

CVE-2022-21190 - High Severity Vulnerability

Vulnerable Library - convict-6.0.0.tgz

Featureful configuration management library for Node.js (nested structure, schema validation, etc.)

Library home page: https://registry.npmjs.org/convict/-/convict-6.0.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/convict/package.json

Dependency Hierarchy: - cli-2.3.3.tgz (Root Library) - playbook-builder-2.3.3.tgz - :x: **convict-6.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: 787d550ab037fd249932a79fcb37a055e556301e

Found in base branch: master

Vulnerability Details

This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype.

Publish Date: 2022-05-13

URL: CVE-2022-21190

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/mozilla/node-convict/pull/384

Release Date: 2022-05-13

Fix Resolution (convict): 6.2.3

Direct dependency fix Resolution (@antora/cli): 3.0.0-alpha.10

---

• [ ] Check this box to open an automated fix PR