CVE-2024-32866 - OpenCVE

Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Edmundhung	Conform

No data.

No data.

References

Link	Providers
https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117
https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de
https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-23T21:07:06.216Z

Updated: 2024-08-02T02:20:35.639Z

Reserved: 2024-04-19T14:07:11.228Z

Link: CVE-2024-32866

Vulnrichment

Updated: 2024-04-29T12:19:21.590Z

NVD

Status : Awaiting Analysis

Published: 2024-04-23T21:15:48.407

Modified: 2024-04-24T13:39:42.883

Link: CVE-2024-32866

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32866", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-19T14:07:11.228Z", "datePublished": "2024-04-23T21:07:06.216Z", "dateUpdated": "2024-08-02T02:20:35.639Z"}, "containers": {"cna": {"title": "Conform contains Prototype Pollution Vulnerability in `parseWith...` function", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf"}, {"name": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de", "tags": ["x_refsource_MISC"], "url": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de"}, {"name": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117", "tags": ["x_refsource_MISC"], "url": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117"}], "affected": [{"vendor": "edmundhung", "product": "conform", "versions": [{"version": "< 1.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-23T21:07:06.216Z"}, "descriptions": [{"lang": "en", "value": "Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.\n"}], "source": {"advisory": "GHSA-624g-8qjg-8qxf", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32866", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-29T12:18:26.633617Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:edmundhung:conform:*:*:*:*:*:*:*:*"], "vendor": "edmundhung", "product": "conform", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:50:16.913Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.639Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf"}, {"name": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de"}, {"name": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32866", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-19T14:07:11.228Z", "datePublished": "2024-04-23T21:07:06.216Z", "dateUpdated": "2024-06-04T17:50:16.913Z"}, "containers": {"cna": {"title": "Conform contains Prototype Pollution Vulnerability in `parseWith...` function", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf"}, {"name": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de", "tags": ["x_refsource_MISC"], "url": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de"}, {"name": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117", "tags": ["x_refsource_MISC"], "url": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117"}], "affected": [{"vendor": "edmundhung", "product": "conform", "versions": [{"version": "< 1.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-23T21:07:06.216Z"}, "descriptions": [{"lang": "en", "value": "Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.\n"}], "source": {"advisory": "GHSA-624g-8qjg-8qxf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32866", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-29T12:18:26.633617Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:edmundhung:conform:*:*:*:*:*:*:*:*"], "vendor": "edmundhung", "product": "conform", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T12:19:21.590Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.\n"}, {"lang": "es", "value": "Conform, una librer\u00eda de validaci\u00f3n de formularios con seguridad de tipos, permite el an\u00e1lisis de objetos anidados en forma de `object.property`. Debido a una implementaci\u00f3n incorrecta de esta caracter\u00edstica en versiones anteriores a la 1.1.1, un atacante puede explotar la caracter\u00edstica para desencadenar la contaminaci\u00f3n del prototipo pasando una entrada manipulada a las funciones `parseWith...`. Esta vulnerabilidad afecta a las aplicaciones que utilizan conform para la validaci\u00f3n del lado del servidor de datos de formulario o par\u00e1metros de URL. La versi\u00f3n 1.1.1 contiene un parche para el problema."}], "id": "CVE-2024-32866", "lastModified": "2024-04-24T13:39:42.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-23T21:15:48.407", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117"}, {"source": "security-advisories@github.com", "url": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de"}, {"source": "security-advisories@github.com", "url": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}