PT-2022-9423 · Appwrite+1 · Appwrite/Server-Ce+1

Alessio Della Libera

Published

2022-02-16

Updated

2022-02-24

CVE-2021-23682

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions litespeed.js versions prior to 0.3.12 appwrite/server-ce versions 0.12.0 through 0.12.1 appwrite/server-ce versions prior to 0.11.1

Description The issue arises from improper sanitization of the key set in the result object when parsing the query string in the getJsonFromUrl function, leading to a Prototype Pollution issue.

Recommendations For litespeed.js versions prior to 0.3.12, update to version 0.3.12 or later. For appwrite/server-ce versions 0.12.0 through 0.12.1, update to version 0.12.2 or later. For appwrite/server-ce versions prior to 0.11.1, update to version 0.11.1 or later.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

CVE-2021-23682

GHSA-V9P9-535W-4285

SNYK-JS-LITESPEEDJS-2359250

SNYK-PHP-APPWRITESERVERCE-2401820

Affected Products

Appwrite/Server-Ce

Litespeed.Js

PT-2022-9423 · Appwrite+1 · Appwrite/Server-Ce+1

CVE-2021-23682

Weakness Enumeration

Related Identifiers

Affected Products

References · 9