CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
782 vulnerabilities reference this CWE, most recent first.
GHSA-8G77-54RH-46HX
Vulnerability from github – Published: 2025-03-12 21:31 – Updated: 2025-03-20 19:27An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-git-config"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25975"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-16T17:22:50Z",
"nvd_published_at": "2025-03-12T19:15:40Z",
"severity": "HIGH"
},
"details": "An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function.",
"id": "GHSA-8g77-54rh-46hx",
"modified": "2025-03-20T19:27:20Z",
"published": "2025-03-12T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25975"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/parse-git-config/issues/14"
},
{
"type": "PACKAGE",
"url": "https://github.com/jonschlinkert/parse-git-config"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Prototype Pollution Vulnerability in parse-git-config"
}
GHSA-8GH8-HQWG-XF34
Vulnerability from github – Published: 2022-12-25 21:30 – Updated: 2024-03-01 14:21A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.1 can address this issue. The name of the patch is 7ad6af41eabb2d799f698740a91284d762c955c9. It is recommended to upgrade the affected component. VDB-216778 is the identifier assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-json-patch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4279"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T16:27:22Z",
"nvd_published_at": "2022-12-25T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.1 can address this issue. The name of the patch is 7ad6af41eabb2d799f698740a91284d762c955c9. It is recommended to upgrade the affected component. VDB-216778 is the identifier assigned to this vulnerability.",
"id": "GHSA-8gh8-hqwg-xf34",
"modified": "2024-03-01T14:21:21Z",
"published": "2022-12-25T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4279"
},
{
"type": "WEB",
"url": "https://github.com/Starcounter-Jack/JSON-Patch/pull/262"
},
{
"type": "WEB",
"url": "https://github.com/Starcounter-Jack/JSON-Patch/commit/7ad6af41eabb2d799f698740a91284d762c955c9"
},
{
"type": "WEB",
"url": "https://blog.effectrenan.com/pwn2win-2021-illusion-web-challenge"
},
{
"type": "PACKAGE",
"url": "https://github.com/Starcounter-Jack/JSON-Patch"
},
{
"type": "WEB",
"url": "https://github.com/Starcounter-Jack/JSON-Patch/releases/tag/3.1.1"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.216778"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216778"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/1-npm-fast-json-patch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Starcounter-Jack JSON-Patch Prototype Pollution vulnerability"
}
GHSA-8GW3-RXH4-V6JX
Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-17 18:39npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "expr-eval"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "expr-eval-fork"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13204"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-17T18:39:19Z",
"nvd_published_at": "2025-11-14T17:16:01Z",
"severity": "HIGH"
},
"details": "npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.",
"id": "GHSA-8gw3-rxh4-v6jx",
"modified": "2025-11-17T18:39:19Z",
"published": "2025-11-14T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13204"
},
{
"type": "WEB",
"url": "https://github.com/silentmatt/expr-eval/pull/252/files"
},
{
"type": "WEB",
"url": "https://github.com/jorenbroekema/expr-eval/commit/6c475a118643ae0efe012de283e932fb8b74324b"
},
{
"type": "WEB",
"url": "https://github.com/silentmatt/expr-eval/commit/6e889e0e75c50ac37d70c35388602025650e0c50"
},
{
"type": "WEB",
"url": "https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py"
},
{
"type": "WEB",
"url": "https://github.com/jorenbroekema/expr-eval"
},
{
"type": "PACKAGE",
"url": "https://github.com/silentmatt/expr-eval"
},
{
"type": "WEB",
"url": "https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/1-npm-expr-eval"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/expr-eval-fork"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "expr-eval vulnerable to Prototype Pollution"
}
GHSA-8GWJ-8HXC-285W
Vulnerability from github – Published: 2021-11-08 17:43 – Updated: 2021-11-08 17:43This affects the package json-ptr before 3.0.0. A type confusion vulnerability can lead to a bypass of CVE-2020-7766 when the user-provided keys used in the pointer parameter are arrays.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json-ptr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23509"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-04T16:56:49Z",
"nvd_published_at": "2021-11-03T18:15:00Z",
"severity": "MODERATE"
},
"details": "This affects the package `json-ptr` before `3.0.0`. A type confusion vulnerability can lead to a bypass of CVE-2020-7766 when the user-provided keys used in the pointer parameter are arrays.",
"id": "GHSA-8gwj-8hxc-285w",
"modified": "2021-11-08T17:43:16Z",
"published": "2021-11-08T17:43:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23509"
},
{
"type": "WEB",
"url": "https://github.com/flitbit/json-ptr/pull/42"
},
{
"type": "WEB",
"url": "https://github.com/flitbit/json-ptr/commit/5dc458fbad1c382a2e3ca6d62e66ede3d92849ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/flitbit/json-ptr"
},
{
"type": "WEB",
"url": "https://github.com/flitbit/json-ptr%23security-vulnerabilities-resolved"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPTR-1577291"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in json-ptr"
}
GHSA-8HQ9-PHH3-P2WP
Vulnerability from github – Published: 2026-03-17 16:17 – Updated: 2026-03-19 19:01Impact
Elysia cookie can be overridden by prototype pollution , eg. __proto__
Sending cookie with the follows name can override cookie value:
__proto__=%7B%22injected%22%3A%22polluted%22%7D
Patches
Patched by 1.4.27
Workarounds
- Use t.Cookie validation to enforce validation value
- Prevent iterable over cookie if possible
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "elysia"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31865"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T16:17:41Z",
"nvd_published_at": "2026-03-18T04:17:19Z",
"severity": "MODERATE"
},
"details": "### Impact\nElysia cookie can be overridden by prototype pollution , eg. `__proto__`\n\nSending cookie with the follows name can override cookie value:\n```bash\n__proto__=%7B%22injected%22%3A%22polluted%22%7D\n```\n\n### Patches\nPatched by 1.4.27\n\n### Workarounds\n1. Use t.Cookie validation to enforce validation value\n2. Prevent iterable over cookie if possible",
"id": "GHSA-8hq9-phh3-p2wp",
"modified": "2026-03-19T19:01:12Z",
"published": "2026-03-17T16:17:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31865"
},
{
"type": "WEB",
"url": "https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab"
},
{
"type": "PACKAGE",
"url": "https://github.com/elysiajs/elysia"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Elysia Cookie Value Prototype Pollution"
}
GHSA-8J49-49JQ-VWCQ
Vulnerability from github – Published: 2020-09-04 15:15 – Updated: 2020-08-31 18:55All versions of getsetdeep are vulnerable to prototype pollution. The setDeep() function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "getsetdeep"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:55:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "All versions of `getsetdeep` are vulnerable to prototype pollution. The `setDeep()` function does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
"id": "GHSA-8j49-49jq-vwcq",
"modified": "2020-08-31T18:55:30Z",
"published": "2020-09-04T15:15:34Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1334"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Prototype Pollution in getsetdeep"
}
GHSA-8MMM-9V2Q-X3F9
Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2024-04-22 23:15Prototype pollution vulnerability in tschaub gh-pages via the partial variable in util.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "gh-pages"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37611"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T23:15:25Z",
"nvd_published_at": "2022-10-12T01:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in tschaub gh-pages via the partial variable in util.js.",
"id": "GHSA-8mmm-9v2q-x3f9",
"modified": "2024-04-22T23:15:25Z",
"published": "2022-10-12T12:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37611"
},
{
"type": "WEB",
"url": "https://github.com/tschaub/gh-pages/issues/446"
},
{
"type": "WEB",
"url": "https://github.com/tschaub/gh-pages/pull/452"
},
{
"type": "PACKAGE",
"url": "https://github.com/tschaub/gh-pages"
},
{
"type": "WEB",
"url": "https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L11"
},
{
"type": "WEB",
"url": "https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "tschaub gh-pages vulnerable to prototype pollution"
}
GHSA-8MP8-28XH-R486
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2023-10-19 18:24Overview
Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.
Details
The npm module 'keyget' can be abused by Prototype Pollution vulnerability since the function 'setByPath()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.
PoC Details
The setByPath() function accepts three arguments target, path, value. Due to the absence of validation, at values passed into path, value an attacker can supply a malicious value by adjusting the path value to include the __proto__ property. Since there is no validation before assigning property to check whether the assigned path is the Object's own property or not, the property polluted will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate polluted the value would be substituted as "true" as it had been polluted.
PoC Code
var keyget = require("keyget")
keyget.set({}, '__proto__.polluted', 'true');
console.log(polluted);
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.0"
},
"package": {
"ecosystem": "npm",
"name": "keyget"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28272"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-19T18:24:49Z",
"nvd_published_at": "2020-12-02T15:15:00Z",
"severity": "CRITICAL"
},
"details": "### Overview\nPrototype pollution vulnerability in \u0027keyget\u0027 versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.\n\n### Details\nThe npm module \u0027keyget\u0027 can be abused by Prototype Pollution vulnerability since the function \u0027setByPath()\u0027 did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.\n\n### PoC Details\nThe `setByPath()` function accepts three arguments `target, path, value`. Due to the absence of validation, at values passed into `path, value` an attacker can supply a malicious value by adjusting the `path` value to include the `__proto__` property. Since there is no validation before assigning property to check whether the assigned `path` is the Object\u0027s own property or not, the property `polluted` will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the value would be substituted as \"true\" as it had been polluted.\n\n### PoC Code\n```js\nvar keyget = require(\"keyget\")\n keyget.set({}, \u0027__proto__.polluted\u0027, \u0027true\u0027);\n console.log(polluted); \n```",
"id": "GHSA-8mp8-28xh-r486",
"modified": "2023-10-19T18:24:49Z",
"published": "2022-05-24T17:35:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28272"
},
{
"type": "WEB",
"url": "https://github.com/rumkin/keyget/commit/17d15b6c75036eb429075a8cfeccfc18094dd2e2"
},
{
"type": "PACKAGE",
"url": "https://github.com/rumkin/keyget"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201207183211/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28272"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "keyget vulnerable to prototype pollution"
}
GHSA-8MQX-QM24-G4FH
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 15:30If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.
{
"affected": [],
"aliases": [
"CVE-2022-2200"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "HIGH"
},
"details": "If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox \u003c 102, Firefox ESR \u003c 91.11, Thunderbird \u003c 102, and Thunderbird \u003c 91.11.",
"id": "GHSA-8mqx-qm24-g4fh",
"modified": "2025-04-15T15:30:34Z",
"published": "2022-12-22T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2200"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1771381"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-24"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-25"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8P36-Q63G-68QH
Vulnerability from github – Published: 2021-05-13 22:31 – Updated: 2022-12-03 03:46org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.mitre:openid-connect-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-27582"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-07T18:32:32Z",
"nvd_published_at": "2021-02-23T18:15:00Z",
"severity": "CRITICAL"
},
"details": "org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.",
"id": "GHSA-8p36-q63g-68qh",
"modified": "2022-12-03T03:46:40Z",
"published": "2021-05-13T22:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27582"
},
{
"type": "WEB",
"url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/commit/7eba3c12fed82388f917e8dd9b73e86e3a311e4c"
},
{
"type": "PACKAGE",
"url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server"
},
{
"type": "WEB",
"url": "https://portswigger.net/research/hidden-oauth-attack-vectors"
},
{
"type": "WEB",
"url": "http://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Autobinding vulnerability in MITREid Connect"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.