Vulnerable Package issue exists @ Npm-nconf-0.10.0 in branch master
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
Namespace: RobertMickleCx
Repository: NodeGoat
Repository Url: https://github.com/RobertMickleCx/NodeGoat
CxAST-Project: RobertMickleCx/NodeGoat
CxAST platform scan: 3f4864fd-127b-412c-8cca-4b4873ce2f29
Branch: master
Application: NodeGoat
Severity: HIGH
State: NOT_IGNORED
Status: RECURRENT
CWE: CWE-1321
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: NONE
Remediation Upgrade Recommendation: 0.11.4
References
Advisory
Release Note
Issue
Pull request
Commit
Vulnerable Package issue exists @ Npm-nconf-0.10.0 in branch master
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
Namespace: RobertMickleCx
Repository: NodeGoat
Repository Url: https://github.com/RobertMickleCx/NodeGoat
CxAST-Project: RobertMickleCx/NodeGoat
CxAST platform scan: 3f4864fd-127b-412c-8cca-4b4873ce2f29
Branch: master
Application: NodeGoat
Severity: HIGH
State: NOT_IGNORED
Status: RECURRENT
CWE: CWE-1321
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: NONE
Remediation Upgrade Recommendation: 0.11.4
References
Advisory
Release Note
Issue
Pull request
Commit