tough-cookie Prototype Pollution vulnerability #29

New Issue

Closed

opened 2023-07-18 04:49:13 +00:00 by argoyle · 0 comments

argoyle commented 2023-07-18 04:49:13 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for tough-cookie in path: /, manifest_file: /package.json but was unable to update it! ⚠️

• https://github.com/advisories/GHSA-72xf-g2v4-qvf3

Package	Severity	Affected versions	Patched versions	IDs
tough-cookie (NPM)	MODERATE	< 4.1.3	4.1.3	GHSA-72xf-g2v4-qvf3,CVE-2023-26136

Description

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-26136
• https://github.com/salesforce/tough-cookie/issues/282
• https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
• https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
• https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
• https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html
• https://github.com/advisories/GHSA-72xf-g2v4-qvf3

⚠️ `dependabot-gitlab` has detected security vulnerability for `tough-cookie` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-72xf-g2v4-qvf3 | Package | Severity | Affected versions | Patched versions | IDs | |--------------------|----------|-------------------|------------------|----------------------------------------| | tough-cookie (NPM) | MODERATE | < 4.1.3 | 4.1.3 | `GHSA-72xf-g2v4-qvf3`,`CVE-2023-26136` | # Description Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized. # References * https://nvd.nist.gov/vuln/detail/CVE-2023-26136 * https://github.com/salesforce/tough-cookie/issues/282 * https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e * https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3 * https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873 * https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html * https://github.com/advisories/GHSA-72xf-g2v4-qvf3

argoyle (Migrated from gitlab.com) closed this issue 2023-07-22 07:57:32 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/vue-router-5.x

renovate-group-stylelint

fix/remove-digest-pinning

remove-gitlab-ci

remove-aws-iam-auth

remove-kubeconfig

kubeconfig-secret

ci-migration

No results found.

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

javascript

security

Pull requests that address a security vulnerability

severity:critical

severity:high

severity:low

severity:moderate

No Label security severity:moderate

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#29