CVE-2023-0163

Name of the Vulnerable Software and Affected Versions Mozilla Convict versions prior to 6.2.4

Description The issue is related to improperly controlled modification of object prototype attributes, also known as "prototype pollution." This allows an attacker to inject attributes that are used in other components or override existing attributes with ones that have incompatible types, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by administrators, and it is unlikely that an administrator would deliberately sabotage their own server. However, a situation can occur where an administrator not knowledgeable about JavaScript could be tricked by an attacker into writing malicious JavaScript code into some config files.

Recommendations For Mozilla Convict versions prior to 6.2.4, upgrade to version 6.2.4 to resolve the issue. As a temporary workaround, consider restricting access to config files to minimize the risk of exploitation. Avoid using attributes that can be overridden with incompatible types in the affected components until the issue is resolved.