CVE-2022-0108: Prototype Pollution in node-forge
プラットフォーム
chrome
コンポーネント
google-chrome
修正版
97.0.4692.71
CVE-2022-0108 identifies a prototype pollution vulnerability within the node-forge library, specifically affecting versions prior to 1.0.0. This issue stems from the forge.debug API, which was intended for internal debugging purposes and not designed to handle untrusted input. While the API's usage was limited and considered safe, exploitation is possible if it's inadvertently exposed to external data.
影響と攻撃シナリオ翻訳中…
A successful prototype pollution attack could allow an attacker to modify the prototype of JavaScript objects, potentially leading to unexpected behavior or denial of service. While the forge.debug API was not publicly documented or advertised, its misuse with untrusted input could corrupt internal data structures within applications relying on node-forge. The impact is considered low due to the limited usage and intended purpose of the API, but any modification of prototypes can have unpredictable consequences, especially in complex applications. This vulnerability highlights the importance of carefully controlling access to internal APIs and validating all external input.
悪用の状況翻訳中…
This vulnerability was reported through Huntr.dev and published on 2022-01-08. The CVSS score is LOW (2.5). There are no known public exploits or active campaigns targeting this vulnerability. The low CVSS score and limited exposure of the forge.debug API suggest a low probability of exploitation in the wild.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.33% (56% パーセンタイル)
影響を受けるソフトウェア
タイムライン
- 予約済み
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2022-0108 is to upgrade to version 1.0.0 of node-forge, which removes the vulnerable forge.debug API. If upgrading is not immediately feasible, avoid using the forge.debug API directly or indirectly with any untrusted input. Thoroughly review your application's code to identify any instances where the API might be called with external data. Consider implementing input validation and sanitization to prevent malicious data from reaching the API, although this is not a substitute for upgrading.
修正方法翻訳中…
Actualice Google Chrome a la versión 97.0.4692.71 o superior. La actualización se puede realizar a través de la configuración del navegador o descargando la última versión desde el sitio web oficial de Google Chrome.
よくある質問翻訳中…
What is CVE-2022-0108 — Prototype Pollution in node-forge?
CVE-2022-0108 is a LOW severity vulnerability in node-forge versions before 1.0.0. It involves a prototype pollution issue in the internal forge.debug API, potentially allowing attackers to modify object prototypes with untrusted input.
Am I affected by CVE-2022-0108 in node-forge?
You are affected if you are using node-forge versions 0.10.0 or earlier and your application uses the forge.debug API with untrusted input. Upgrade to 1.0.0 to resolve this.
How do I fix CVE-2022-0108 in node-forge?
Upgrade to node-forge version 1.0.0 or later. This version removes the vulnerable forge.debug API. Avoid using the API with untrusted input if upgrading is not immediately possible.
Is CVE-2022-0108 being actively exploited?
Currently, there are no known public exploits or active campaigns targeting CVE-2022-0108. However, it's crucial to apply the fix to prevent potential future exploitation.
Where can I find the official node-forge advisory for CVE-2022-0108?
You can find information about this vulnerability and the fix on the Huntr.dev bounty page: https://www.huntr.dev/bounties/1-npm-node-forge/
今すぐ試す — アカウント不要
任意のマニフェスト(composer.lock、package-lock.json、WordPressプラグインリストなど)をアップロードするか、コンポーネントリストを貼り付けてください。脆弱性レポートを即座に入手できます。ファイルのアップロードはほんの始まりです。アカウントがあれば、継続的なモニタリング、Slack/メールアラート、マルチプロジェクト、ホワイトラベルレポートが使用できます。
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...