CVE-2022-21803: Prototype Pollution
First published: Tue Apr 12 2022(Updated: )
A flaw was found in the nconf library when setting the configuration properties. This flaw allows an attacker to provide a crafted property, leading to prototype object pollution.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/npm-nconf | <0.11.4 | 0.11.4 |
| IBM Cognos Analytics 11.2.x | <=IBM Cognos Analytics 11.2.x | |
| IBM Cognos Analytics 11.1.x | <=IBM Cognos Analytics 11.1.x | |
| Nconf Project Nconf | <0.11.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/224357
- https://www.ibm.com/support/pages/node/6615285 (Advisory)
- https://github.com/indexzero/nconf/pull/397
- https://github.com/indexzero/nconf/releases/tag/v0.11.4
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450
- https://snyk.io/vuln/SNYK-JS-NCONF-2395478
- https://github.com/RedHatInsights/insights-remediations/blob/master/package-lock.json
- https://github.com/RedHatInsights/insights-remediations/blob/production/package-lock.json
- https://access.redhat.com/errata/RHSA-2022:1681
- https://access.redhat.com/errata/RHSA-2022:1715
- https://access.redhat.com/security/cve/cve-2022-21803
- https://access.redhat.com/errata/RHSA-2022:4956
- https://access.redhat.com/errata/RHSA-2022:5201
- https://access.redhat.com/errata/RHSA-2022:5392
- https://bugzilla.redhat.com/show_bug.cgi?id=2074689
- https://www.cve.org/CVERecord?id=CVE-2022-21803 https://nvd.nist.gov/vuln/detail/CVE-2022-21803 https://github.com/allengayCx/nodegoat/issues/88
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-21803?
CVE-2022-21803 is a vulnerability in the nconf library that could allow a remote attacker to execute arbitrary code on the system.
What is the severity of CVE-2022-21803?
The severity of CVE-2022-21803 is high, with a severity score of 7.3.
How does CVE-2022-21803 work?
CVE-2022-21803 is caused by a prototype pollution flaw when using the memory engine in the Node.js nconf module. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability.
Which software is affected by CVE-2022-21803?
The software affected by CVE-2022-21803 includes the npm-nconf package version 0.11.4, IBM Cognos Analytics 11.2.x, IBM Cognos Analytics 11.1.x, and Nconf Project Nconf up to version 0.11.4.
How can I fix CVE-2022-21803?
To fix CVE-2022-21803, update to npm-nconf version 0.11.4 or apply the necessary patches provided by the respective vendors.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/weakness
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-21803
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/title
- agent/event
- collector/ibm-support
- source/IBM
- agent/tags
- agent/trending
- vendor/nconf project
- canonical/nconf project nconf
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics 11.2.x
- version/ibm cognos analytics 11.2.x/ibm cognos analytics 11.2.x
- canonical/ibm cognos analytics 11.1.x
- version/ibm cognos analytics 11.1.x/ibm cognos analytics 11.1.x