CVE-2023-30857 - OpenCVE

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Aedart	Ion

Configuration 1 [-]

cpe:2.3:a:aedart:ion:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291
https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-28T20:37:41.391Z

Updated: 2024-08-02T14:37:15.508Z

Reserved: 2023-04-18T16:13:15.882Z

Link: CVE-2023-30857

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-04-28T21:15:09.127

Modified: 2023-05-08T17:29:51.240

Link: CVE-2023-30857

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30857", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-18T16:13:15.882Z", "datePublished": "2023-04-28T20:37:41.391Z", "dateUpdated": "2024-08-02T14:37:15.508Z"}, "containers": {"cna": {"title": "@aedart/support possibly vulnerable to prototype pollution in metadata record, when using meta decorator", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"}, {"name": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291", "tags": ["x_refsource_MISC"], "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"}], "affected": [{"vendor": "aedart", "product": "ion", "versions": [{"version": "< 0.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-28T20:37:41.391Z"}, "descriptions": [{"lang": "en", "value": "@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.\n"}], "source": {"advisory": "GHSA-wwxh-74fx-33c6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.508Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"}, {"name": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aedart:ion:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "80FB7841-5B3F-48A1-9CD7-5B4CDF9723A1", "versionEndExcluding": "0.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.\n"}], "id": "CVE-2023-30857", "lastModified": "2023-05-08T17:29:51.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-04-28T21:15:09.127", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}