The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)
CVE-2022-22143 - High Severity Vulnerability
Featureful configuration management library for Node.js (nested structure, schema validation, etc.)
Library home page: https://registry.npmjs.org/convict/-/convict-6.0.0.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/convict/package.json
Dependency Hierarchy: - cli-2.3.3.tgz (Root Library) - playbook-builder-2.3.3.tgz - :x: **convict-6.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 1e0122c930bb3808dc9dabdff2f5841e0a728f35
Found in base branch: master
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)
Publish Date: 2022-05-01
URL: CVE-2022-22143
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22143
Release Date: 2022-05-01
Fix Resolution (convict): 6.2.2
Direct dependency fix Resolution (@antora/cli): 3.0.0-alpha.10