{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-0163","assignerOrgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","state":"PUBLISHED","assignerShortName":"mozilla","dateReserved":"2023-01-10T18:24:38.341Z","datePublished":"2024-11-26T11:36:26.574Z","dateUpdated":"2024-11-27T16:02:29.836Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unknown","product":"Convict","vendor":"Mozilla","versions":[{"lessThan":"6.2.4","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"analyst","value":"Captain-K-101"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict.</p><p>This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\n</p><div><p>The main use case of Convict is for handling server-side \nconfigurations written by the admins owning the servers, and not random \nusers. So it's unlikely that an admin would deliberately sabotage their \nown server. Still, a situation can happen where an admin not \nknowledgeable about JavaScript could be tricked by an attacker into \nwriting the malicious JavaScript code into some config files.</p></div><p>This issue affects Convict: before 6.2.4.</p>"}],"value":"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict.\n\nThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\n\n\nThe main use case of Convict is for handling server-side \nconfigurations written by the admins owning the servers, and not random \nusers. So it's unlikely that an admin would deliberately sabotage their \nown server. Still, a situation can happen where an admin not \nknowledgeable about JavaScript could be tricked by an attacker into \nwriting the malicious JavaScript code into some config files.\n\n\n\nThis issue affects Convict: before 6.2.4."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1321","description":"CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","shortName":"mozilla","dateUpdated":"2024-11-26T11:36:26.574Z"},"references":[{"tags":["issue-tracking"],"url":"https://github.com/mozilla/node-convict/issues/410"},{"tags":["vendor-advisory"],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf"}],"source":{"discovery":"UNKNOWN"},"title":"Prototype Pollution in convict","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"mozilla","product":"convict","cpes":["cpe:2.3:a:mozilla:convict:-:*:*:*:*:node.js:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"6.2.4","versionType":"semver"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":8.4,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-11-27T15:59:57.809994Z","id":"CVE-2023-0163","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-27T16:02:29.836Z"}}]}}