Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVE-2021-23433

High

9.8/10

Summary

The package algoliasearch-helper versions through 0.0.0-27d41bf and 0.0.0-5a0352a through 3.6.1 are vulnerable to Prototype Pollution due to use of the "merge" function in "src/SearchParameters/index.js#SearchParameters._parseNumbers" without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-1321 - Prototype Pollution

Prototype pollution is one of the lesser-known vulnerabilities. It allows attackers to abuse the rules of JavaScript by injecting properties into the general object “Object” in JS. Modifying the prototype of “Object” affects the behavior of all objects in the entire app, potentially resulting in denial of service, arbitrary code execution, cross-site scripting, etc.

References

Advisory Timeline

Published Nov 19, 2021

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVE-2021-23433

Summary

CWE-1321 - Prototype Pollution

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS