CVE-2023-30857 - Vulnerability Details - OpenCVE

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Aedart	Ion

Configuration 1 [-]

cpe:2.3:a:aedart:ion:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291
https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

History

Thu, 30 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-28T20:37:41.391Z

Updated: 2025-01-30T19:50:17.148Z

Reserved: 2023-04-18T16:13:15.882Z

Link: CVE-2023-30857

Vulnrichment

Updated: 2024-08-02T14:37:15.508Z

NVD

Status : Modified

Published: 2023-04-28T21:15:09.127

Modified: 2024-11-21T08:00:59.107

Link: CVE-2023-30857

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30857", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-18T16:13:15.882Z", "datePublished": "2023-04-28T20:37:41.391Z", "dateUpdated": "2025-01-30T19:50:17.148Z"}, "containers": {"cna": {"title": "@aedart/support possibly vulnerable to prototype pollution in metadata record, when using meta decorator", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"}, {"name": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291", "tags": ["x_refsource_MISC"], "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"}], "affected": [{"vendor": "aedart", "product": "ion", "versions": [{"version": "< 0.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-28T20:37:41.391Z"}, "descriptions": [{"lang": "en", "value": "@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.\n"}], "source": {"advisory": "GHSA-wwxh-74fx-33c6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.508Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"}, {"name": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-30T19:50:08.558162Z", "id": "CVE-2023-30857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T19:50:17.148Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6", "name": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291", "name": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.508Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-30857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T19:50:08.558162Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T19:50:13.190Z"}}], "cna": {"title": "@aedart/support possibly vulnerable to prototype pollution in metadata record, when using meta decorator", "source": {"advisory": "GHSA-wwxh-74fx-33c6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "aedart", "product": "ion", "versions": [{"status": "affected", "version": "< 0.6.1"}]}], "references": [{"url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6", "name": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291", "name": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-28T20:37:41.391Z"}}}, "cveMetadata": {"cveId": "CVE-2023-30857", "state": "PUBLISHED", "dateUpdated": "2025-01-30T19:50:17.148Z", "dateReserved": "2023-04-18T16:13:15.882Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-04-28T20:37:41.391Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aedart:ion:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "80FB7841-5B3F-48A1-9CD7-5B4CDF9723A1", "versionEndExcluding": "0.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.\n"}], "id": "CVE-2023-30857", "lastModified": "2024-11-21T08:00:59.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-28T21:15:09.127", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}