Scanner gratuitement
MEDIUMCVE-2022-0108

CVE-2022-0108: Prototype Pollution in node-forge

Plateforme

chrome

Composant

google-chrome

Corrigé dans

97.0.4692.71

Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2022-0108 identifies a prototype pollution vulnerability within the node-forge library, specifically affecting versions prior to 1.0.0. This issue stems from the forge.debug API, which was intended for internal debugging purposes and not designed to handle untrusted input. While the API's usage was limited and considered safe, exploitation is possible if it's inadvertently exposed to external data.

Impact et Scénarios d'Attaquetraduction en cours…

A successful prototype pollution attack could allow an attacker to modify the prototype of JavaScript objects, potentially leading to unexpected behavior or denial of service. While the forge.debug API was not publicly documented or advertised, its misuse with untrusted input could corrupt internal data structures within applications relying on node-forge. The impact is considered low due to the limited usage and intended purpose of the API, but any modification of prototypes can have unpredictable consequences, especially in complex applications. This vulnerability highlights the importance of carefully controlling access to internal APIs and validating all external input.

Contexte d'Exploitationtraduction en cours…

This vulnerability was reported through Huntr.dev and published on 2022-01-08. The CVSS score is LOW (2.5). There are no known public exploits or active campaigns targeting this vulnerability. The low CVSS score and limited exposure of the forge.debug API suggest a low probability of exploitation in the wild.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO

EPSS

0.33% (percentile 56%)

Logiciel Affecté

Composantgoogle-chrome
FournisseurGoogle
Version maximale97.0.4692.71
Corrigé dans97.0.4692.71

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2022-0108 is to upgrade to version 1.0.0 of node-forge, which removes the vulnerable forge.debug API. If upgrading is not immediately feasible, avoid using the forge.debug API directly or indirectly with any untrusted input. Thoroughly review your application's code to identify any instances where the API might be called with external data. Consider implementing input validation and sanitization to prevent malicious data from reaching the API, although this is not a substitute for upgrading.

Comment corrigertraduction en cours…

Actualice Google Chrome a la versión 97.0.4692.71 o superior. La actualización se puede realizar a través de la configuración del navegador o descargando la última versión desde el sitio web oficial de Google Chrome.

Questions fréquentestraduction en cours…

What is CVE-2022-0108 — Prototype Pollution in node-forge?

CVE-2022-0108 is a LOW severity vulnerability in node-forge versions before 1.0.0. It involves a prototype pollution issue in the internal forge.debug API, potentially allowing attackers to modify object prototypes with untrusted input.

Am I affected by CVE-2022-0108 in node-forge?

You are affected if you are using node-forge versions 0.10.0 or earlier and your application uses the forge.debug API with untrusted input. Upgrade to 1.0.0 to resolve this.

How do I fix CVE-2022-0108 in node-forge?

Upgrade to node-forge version 1.0.0 or later. This version removes the vulnerable forge.debug API. Avoid using the API with untrusted input if upgrading is not immediately possible.

Is CVE-2022-0108 being actively exploited?

Currently, there are no known public exploits or active campaigns targeting CVE-2022-0108. However, it's crucial to apply the fix to prevent potential future exploitation.

Where can I find the official node-forge advisory for CVE-2022-0108?

You can find information about this vulnerability and the fix on the Huntr.dev bounty page: https://www.huntr.dev/bounties/1-npm-node-forge/

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE
en directfree scan

Essayez maintenant — sans compte

Téléchargez n'importe quel manifeste (composer.lock, package-lock.json, liste de plugins WordPress…) ou collez votre liste de composants. Vous obtiendrez un rapport de vulnérabilités instantanément. Le téléchargement d'un fichier n'est qu'un début : avec un compte vous bénéficiez d'une surveillance continue, d'alertes Slack/email, de multi-projets et de rapports en marque blanche.

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...