CVE-2020-7608

CVSS v3.1

5.3

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions yargs-parser versions prior to 13.1.2 yargs-parser versions prior to 15.0.1 yargs-parser versions prior to 18.1.1

Description The issue is related to the yargs-parser library, which can be tricked into adding or modifying properties of Object.prototype using a " proto " payload. This can lead to a prototype pollution attack, allowing a remote attacker to implement an attack. The vulnerability is caused by the lack of proper sanitization of arguments, enabling an attacker to modify the prototype of Object. For example, parsing the argument --foo. proto .bar baz adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendations Upgrade to version 13.1.2 or later. Upgrade to version 15.0.1 or later. Upgrade to version 18.1.1 or later.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321CWE-915

Related Identifiers

ALSA-2020:5499

ALSA-2021:0548

BDU:2021-02883

CESA-2020_5499

CESA-2021_0548

CVE-2020-7608

GHSA-P9PC-299P-VXGP

MGASA-2021-0170

RHSA-2020:5305

RHSA-2020:5499

RHSA-2020_5499

RHSA-2021:0521

RHSA-2021:0548

RHSA-2021_0548

RLSA-2020:5499

RLSA-2021:0548

SNYK-JS-YARGSPARSER-560381

Affected Products

Almalinux

Centos

Red Hat

Rocky Linux

Yargs-Parser

CVE-2020-7608

Weakness Enumeration

Related Identifiers

Affected Products

References · 51