#VU78870 Prototype pollution in protobuf.js - CVE-2023-36665


Vulnerability identifier: #VU78870

Vulnerability risk: Critical

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]

CVE-ID: CVE-2023-36665

CWE-ID: CWE-1321

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
protobuf.js
Universal components / Libraries / Programming Languages & Components

Vendor: protobuf.js

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pollute the prototype of Object.prototype by adding and overwriting its data and functions.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Vulnerable software versions

protobuf.js: before 7.2.4

External links
https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d
https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4
https://github.com/protobufjs/protobuf.js/pull/1899
https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Prototype pollution in IBM Storage Ceph
Multiple vulnerabilities in IBM QRadar Suite Software
Prototype pollution in IBM Maximo Application Suite
Multiple vulnerabilities in IBM App Connect Enterprise
Multiple vulnerabilities in IBM Voice Gateway
Prototype pollution in IBM App Connect Enterprise Certified Container
Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps