CVE-2022-23623 - OpenCVE

Frourio is a full stack framework, for TypeScript. Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Frourio	Frourio

Configuration 1 [-]

cpe:2.3:a:frourio:frourio:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af
https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-02-07T22:15:16

Updated: 2024-08-03T03:51:45.687Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23623

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-07T23:15:07.787

Modified: 2023-07-13T15:52:57.683

Link: CVE-2022-23623

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "frourio", "vendor": "frouriojs", "versions": [{"status": "affected", "version": "< 0.26.0"}]}], "descriptions": [{"lang": "en", "value": "Frourio is a full stack framework, for TypeScript. Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-07T22:15:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af"}], "source": {"advisory": "GHSA-8xxm-h73r-ghfj", "discovery": "UNKNOWN"}, "title": "Validation bypass in frourio", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-23623", "STATE": "PUBLIC", "TITLE": "Validation bypass in frourio"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "frourio", "version": {"version_data": [{"version_value": "< 0.26.0"}]}}]}, "vendor_name": "frouriojs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Frourio is a full stack framework, for TypeScript. Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj", "refsource": "CONFIRM", "url": "https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj"}, {"name": "https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af", "refsource": "MISC", "url": "https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af"}]}, "source": {"advisory": "GHSA-8xxm-h73r-ghfj", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:51:45.687Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-23623", "datePublished": "2022-02-07T22:15:16", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:51:45.687Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frourio:frourio:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D45F0DD6-6F73-4939-AF09-67FB139ED8E1", "versionEndExcluding": "0.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frourio is a full stack framework, for TypeScript. Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`."}, {"lang": "es", "value": "Frourio es un framework de pila completa, para TypeScript. Los usuarios que usen Frourio versiones anteriores a v0.26.0 y la integraci\u00f3n con class-validator mediante la carpeta \"validators/\" est\u00e1n sujetos a una vulnerabilidad de comprobaci\u00f3n de entradas. Los comprobadores no funcionan apropiadamente para los cuerpos de petici\u00f3n y las consultas en situaciones espec\u00edficas y algunas entradas no son comprobadas en absoluto. Es recomendado a usuarios actualizar frourio a versi\u00f3n 0.26.0 o posterior y instalar \"class-transformer\" y \"reflect-metadata\""}], "id": "CVE-2022-23623", "lastModified": "2023-07-13T15:52:57.683", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-02-07T23:15:07.787", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}, {"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}