CVE-2023-26158 (GCVE-0-2023-26158)

Vulnerability from cvelistv5 – Published: 2023-12-08 05:00 – Updated: 2024-08-02 11:39
VLAI
Summary
All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). User controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability. Workaround By using a denylist of dangerous attributes, this weakness can be eliminated. Add the following line in the Util.extend function: js js if (["__proto__", "constructor", "prototype"].includes(name)) continue js // src/mock/handler.js Util.extend = function extend() { var target = arguments[0] || {}, i = 1, length = arguments.length, options, name, src, copy, clone if (length === 1) { target = this i = 0 } for (; i < length; i++) { options = arguments[i] if (!options) continue for (name in options) { if (["__proto__", "constructor", "prototype"].includes(name)) continue src = target[name] copy = options[name] if (target === copy) continue if (copy === undefined) continue if (Util.isArray(copy) || Util.isObject(copy)) { if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : [] if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {} target[name] = Util.extend(clone, copy) } else { target[name] = copy } } } return target }
Severity
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a mockjs Affected: 0 , < * (semver)
Credits
Timothee Desurmont
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:39:06.604Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mockjs",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Timothee Desurmont"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).\r\rUser controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.\r\r Workaround\r\rBy using a denylist of dangerous attributes, this weakness can be eliminated.\r\rAdd the following line in the Util.extend function:\r\rjs\rjs if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\r\r\rjs\r// src/mock/handler.js\rUtil.extend = function extend() {\r        var target = arguments[0] || {},\r            i = 1,\r            length = arguments.length,\r            options, name, src, copy, clone\r\r        if (length === 1) {\r            target = this\r            i = 0\r        }\r\r        for (; i \u003c length; i++) {\r            options = arguments[i]\r            if (!options) continue\r\r            for (name in options) {\r            if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\r                src = target[name]\r                copy = options[name]\r\r                if (target === copy) continue\r                if (copy === undefined) continue\r\r                if (Util.isArray(copy) || Util.isObject(copy)) {\r                    if (Util.isArray(copy)) clone = src \u0026\u0026 Util.isArray(src) ? src : []\r                    if (Util.isObject(copy)) clone = src \u0026\u0026 Util.isObject(src) ? src : {}\r\r                    target[name] = Util.extend(clone, copy)\r                } else {\r                    target[name] = copy\r                }\r            }\r        }\r\r        return target\r    }\r"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Prototype Pollution",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-08T05:00:01.350Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365"
        },
        {
          "url": "https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2023-26158",
    "datePublished": "2023-12-08T05:00:01.350Z",
    "dateReserved": "2023-02-20T10:28:48.930Z",
    "dateUpdated": "2024-08-02T11:39:06.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-26158",
      "date": "2026-06-29",
      "epss": "0.00801",
      "percentile": "0.5202"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-26158\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2023-12-08T05:15:07.870\",\"lastModified\":\"2026-06-17T05:42:48.550\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).\\r\\rUser controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.\\r\\r Workaround\\r\\rBy using a denylist of dangerous attributes, this weakness can be eliminated.\\r\\rAdd the following line in the Util.extend function:\\r\\rjs\\rjs if ([\\\"__proto__\\\", \\\"constructor\\\", \\\"prototype\\\"].includes(name)) continue\\r\\r\\rjs\\r// src/mock/handler.js\\rUtil.extend = function extend() {\\r        var target = arguments[0] || {},\\r            i = 1,\\r            length = arguments.length,\\r            options, name, src, copy, clone\\r\\r        if (length === 1) {\\r            target = this\\r            i = 0\\r        }\\r\\r        for (; i \u003c length; i++) {\\r            options = arguments[i]\\r            if (!options) continue\\r\\r            for (name in options) {\\r            if ([\\\"__proto__\\\", \\\"constructor\\\", \\\"prototype\\\"].includes(name)) continue\\r                src = target[name]\\r                copy = options[name]\\r\\r                if (target === copy) continue\\r                if (copy === undefined) continue\\r\\r                if (Util.isArray(copy) || Util.isObject(copy)) {\\r                    if (Util.isArray(copy)) clone = src \u0026\u0026 Util.isArray(src) ? src : []\\r                    if (Util.isObject(copy)) clone = src \u0026\u0026 Util.isObject(src) ? src : {}\\r\\r                    target[name] = Util.extend(clone, copy)\\r                } else {\\r                    target[name] = copy\\r                }\\r            }\\r        }\\r\\r        return target\\r    }\\r\"},{\"lang\":\"es\",\"value\":\"Todas las versiones del paquete mockjs son vulnerables a Prototype Pollution a trav\u00e9s de la funci\u00f3n Util.extend debido a que falta verificar si el atributo se resuelve en el prototipo del objeto. Al agregar o modificar atributos de un prototipo de objeto, es posible crear atributos que existen en cada objeto o reemplazar atributos cr\u00edticos por otros maliciosos. Esto puede resultar problem\u00e1tico si el software depende de la existencia o no de ciertos atributos, o utiliza atributos predefinidos del prototipo de objeto (como hasOwnProperty, toString o valueOf). Las entradas controladas por el usuario dentro del m\u00e9todo extend() de Mock.Handler, Mock.Random, Mock.RE.Handler o Mock.Util permitir\u00e1n a un atacante explotar esta vulnerabilidad. Como workaround al utilizar una lista de atributos peligrosos, se puede eliminar esta debilidad. Agregue la siguiente l\u00ednea en la funci\u00f3n Util.extend: js js if ([\\\"__proto__\\\", \\\"constructor\\\", \\\"prototype\\\"].includes(name)) continue js // src/mock/handler.js Util.extend = function extend() { var target = arguments[0] || {}, i = 1, length = arguments.length, options, name, src, copy, clone if (length === 1) { target = this i = 0 } for (; i \u0026lt; length; i++) { options = arguments[i] if (!options) continue for (name in options) { if ([\\\"__proto__\\\", \\\"constructor\\\", \\\"prototype\\\"].includes(name)) continue src = target[name] copy = options[name] if (target === copy) continue if (copy === undefined) continue if (Util.isArray(copy) || Util.isObject(copy)) { if (Util.isArray(copy)) clone = src \u0026amp;\u0026amp; Util.isArray(src) ? src : [] if (Util.isObject(copy)) clone = src \u0026amp;\u0026amp; Util.isObject(src) ? src : {} target[name] = Util.extend(clone, copy) } else { target[name] = copy } } } return target } \"}],\"affected\":[{\"source\":\"report@snyk.io\",\"affectedData\":[{\"vendor\":\"n/a\",\"product\":\"mockjs\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"*\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mockjs:mock.js:*:*:*:*:*:node.js:*:*\",\"versionEndIncluding\":\"1.1.0\",\"matchCriteriaId\":\"557CBFB9-9781-4F55-8E18-A318EF1AF35F\"}]}]}],\"references\":[{\"url\":\"https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755\",\"source\":\"report@snyk.io\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.