GHSA-MH8J-9JVH-GJF6

Vulnerability from github – Published: 2023-12-08 06:30 – Updated: 2023-12-08 15:49
VLAI
Summary
mockjs vulnerable to Prototype Pollution via the Util.extend function
Details

All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

User controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.

Workaround

By using a denylist of dangerous attributes, this weakness can be eliminated.

Add the following line in the Util.extend function:

js js if (["proto", "constructor", "prototype"].includes(name)) continue

js // src/mock/handler.js Util.extend = function extend() { var target = arguments[0] || {}, i = 1, length = arguments.length, options, name, src, copy, clone

    if (length === 1) {
        target = this
        i = 0
    }

    for (; i < length; i++) {
        options = arguments[i]
        if (!options) continue

        for (name in options) {
        if (["__proto__", "constructor", "prototype"].includes(name)) continue
            src = target[name]
            copy = options[name]

            if (target === copy) continue
            if (copy === undefined) continue

            if (Util.isArray(copy) || Util.isObject(copy)) {
                if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : []
                if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {}

                target[name] = Util.extend(clone, copy)
            } else {
                target[name] = copy
            }
        }
    }

    return target
}
Severity
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mockjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-08T15:49:13Z",
    "nvd_published_at": "2023-12-08T05:15:07Z",
    "severity": "HIGH"
  },
  "details": "All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).\n\nUser controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.\n\n Workaround\n\nBy using a denylist of dangerous attributes, this weakness can be eliminated.\n\nAdd the following line in the Util.extend function:\n\njs\njs if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\n\n\njs\n// src/mock/handler.js\nUtil.extend = function extend() {\n        var target = arguments[0] || {},\n            i = 1,\n            length = arguments.length,\n            options, name, src, copy, clone\n\n        if (length === 1) {\n            target = this\n            i = 0\n        }\n\n        for (; i \u003c length; i++) {\n            options = arguments[i]\n            if (!options) continue\n\n            for (name in options) {\n            if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\n                src = target[name]\n                copy = options[name]\n\n                if (target === copy) continue\n                if (copy === undefined) continue\n\n                if (Util.isArray(copy) || Util.isObject(copy)) {\n                    if (Util.isArray(copy)) clone = src \u0026\u0026 Util.isArray(src) ? src : []\n                    if (Util.isObject(copy)) clone = src \u0026\u0026 Util.isObject(src) ? src : {}\n\n                    target[name] = Util.extend(clone, copy)\n                } else {\n                    target[name] = copy\n                }\n            }\n        }\n\n        return target\n    }\n",
  "id": "GHSA-mh8j-9jvh-gjf6",
  "modified": "2023-12-08T15:49:13Z",
  "published": "2023-12-08T06:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26158"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuysoft/Mock"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js#L721-L755"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mockjs vulnerable to Prototype Pollution via the Util.extend function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.