Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] with CVE-2022-25878 #270

Open
axi92 opened this issue May 30, 2023 · 0 comments
Open

[BUG] with CVE-2022-25878 #270

axi92 opened this issue May 30, 2023 · 0 comments
Labels
bug

Comments

@axi92
Copy link

axi92 commented May 30, 2023
edited
Loading

Describe the bug
When I use protobufjs in version 6.11.3 it should not trigger a warning as far as I understand the text here CVE-2022-25878 says only below 6.11.3. So 6.11.3 should be fine. CVE-2022-25878

To Reproduce
Steps to reproduce the behavior:

  1. npm init
  2. npm i [email protected]
  3. echo y | npx auditjs@latest ossi
 ________   ___  ___   ________   ___   _________       ___   ________      
|\   __  \ |\  \|\  \ |\   ___ \ |\  \ |\___   ___\    |\  \ |\   ____\     
\ \  \|\  \\ \  \\\  \\ \  \_|\ \\ \  \\|___ \  \_|    \ \  \\ \  \___|_    
 \ \   __  \\ \  \\\  \\ \  \ \\ \\ \  \    \ \  \   __ \ \  \\ \_____  \   
  \ \  \ \  \\ \  \\\  \\ \  \_\\ \\ \  \    \ \  \ |\  \\_\  \\|____|\  \  
   \ \__\ \__\\ \_______\\ \_______\\ \__\    \ \__\\ \________\ ____\_\  \ 
    \|__|\|__| \|_______| \|_______| \|__|     \|__| \|________||\_________\
                                                                \|_________|
                                                                            
                                                                            
  _      _                       _   _              
 /_)    /_`_  _  _ _/_   _  _   (/  /_`_._  _   _/ _
/_)/_/ ._//_// //_|/ /_//_//_' (_X /  ///_'/ //_/_\ 
   _/                _//                            

  AuditJS version: 4.0.39

✔ Starting application
✔ Getting coordinates for Sonatype OSS Index
✔ Auditing your application with Sonatype OSS Index
✔ Submitting coordinates to Sonatype OSS Index
✔ Reticulating splines
✔ Removing whitelisted vulnerabilities

  Sonabot here, beep boop beep boop, here are your Sonatype OSS Index results:
  Total dependencies audited: 14

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[1/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[2/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[3/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[4/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[5/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[6/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[7/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[8/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[9/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[10/14] - pkg:npm/@protobufjs/[email protected] - No vulnerabilities found!
[11/14] - pkg:npm/@types/[email protected] - No vulnerabilities found!
[12/14] - pkg:npm/@types/[email protected] - No vulnerabilities found!
[13/14] - pkg:npm/[email protected] - No vulnerabilities found!
[14/14] - pkg:npm/[email protected] - 1 vulnerability found!

  Vulnerability Title:  [CVE-2022-25878] CWE-1321
  ID:  CVE-2022-25878
  Description:  The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
  
  Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-25878 for details
  CVSS Score:  7.5
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  CVE:  CVE-2022-25878
  Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2022-25878?component-type=npm&component-name=protobufjs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.39

Expected behavior
When I use version 6.11.3 it should not consider it as vulnerable since the text says: "before 6.11.3 are vulnerable "

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Linux
  • NodeJS Version: v18.15.0
  • Version: 4.0.39

Additional context
Add any other context about the problem here.

cc @bhamail / @DarthHater / @allenhsieh / @Slim-Shary
@axi92 axi92 added the bug label May 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@axi92