We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-36665



Description

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Reserved 2023-06-25 | Published 2023-07-05 | Updated 2024-08-02 | Assigner mitre

References

github.com/.../compare/protobufjs-v7.2.3...protobufjs-v7.2.4

github.com/...ommit/e66379f451b0393c27d87b37fa7d271619e16b0d

www.code-intelligence.com/...totype-pollution-cve-2023-36665

github.com/...fjs/protobuf.js/releases/tag/protobufjs-v7.2.4

github.com/protobufjs/protobuf.js/pull/1899

security.netapp.com/advisory/ntap-20240628-0006/

cve.org (CVE-2023-36665)

nvd.nist.gov (CVE-2023-36665)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2023-36665

Support options

Helpdesk Chat, Email, Knowledgebase