CVE-2023-36665 - Vulnerability Details - OpenCVE

ReportizFlow

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Protobufjs Project	Protobufjs

Configuration 1 [-]

cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d
https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4
https://github.com/protobufjs/protobuf.js/pull/1899
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4
https://nvd.nist.gov/vuln/detail/CVE-2023-36665
https://security.netapp.com/advisory/ntap-20240628-0006/
https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665
https://www.cve.org/CVERecord?id=CVE-2023-36665

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-07-05T00:00:00

Updated: 2024-08-02T16:52:54.371Z

Reserved: 2023-06-25T00:00:00

Link: CVE-2023-36665

Vulnrichment

Updated: 2024-08-02T16:52:54.371Z

NVD

Status : Modified

Published: 2023-07-05T14:15:09.410

Modified: 2024-11-21T08:10:16.390

Link: CVE-2023-36665

Redhat

Severity : Moderate

Publid Date: 2023-07-05T00:00:00Z

Links: CVE-2023-36665 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-36665", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T16:52:54.371Z", "dateReserved": "2023-06-25T00:00:00", "datePublished": "2023-07-05T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-28T18:05:58.043477"}, "descriptions": [{"lang": "en", "value": "\"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4"}, {"url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d"}, {"url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665"}, {"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4"}, {"url": "https://github.com/protobufjs/protobuf.js/pull/1899"}, {"url": "https://security.netapp.com/advisory/ntap-20240628-0006/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-08T15:11:08.399447Z", "id": "CVE-2023-36665", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T15:11:31.786Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:52:54.371Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4", "tags": ["x_transferred"]}, {"url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d", "tags": ["x_transferred"]}, {"url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665", "tags": ["x_transferred"]}, {"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4", "tags": ["x_transferred"]}, {"url": "https://github.com/protobufjs/protobuf.js/pull/1899", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240628-0006/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4", "tags": ["x_transferred"]}, {"url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d", "tags": ["x_transferred"]}, {"url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665", "tags": ["x_transferred"]}, {"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4", "tags": ["x_transferred"]}, {"url": "https://github.com/protobufjs/protobuf.js/pull/1899", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240628-0006/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:52:54.371Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-36665", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-08T15:11:08.399447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T15:11:25.669Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4"}, {"url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d"}, {"url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665"}, {"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4"}, {"url": "https://github.com/protobufjs/protobuf.js/pull/1899"}, {"url": "https://security.netapp.com/advisory/ntap-20240628-0006/"}], "descriptions": [{"lang": "en", "value": "\"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-28T18:05:58.043477"}}}, "cveMetadata": {"cveId": "CVE-2023-36665", "state": "PUBLISHED", "dateUpdated": "2024-08-02T16:52:54.371Z", "dateReserved": "2023-06-25T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-07-05T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:protobufjs_project:protobufjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E84C9B9B-5A8E-4DDA-8ACA-920CABF80FEA", "versionEndExcluding": "7.2.5", "versionStartIncluding": "6.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty."}], "id": "CVE-2023-36665", "lastModified": "2024-11-21T08:10:16.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-07-05T14:15:09.410", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4"}, {"source": "[email protected]", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/protobufjs/protobuf.js/pull/1899"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4"}, {"source": "[email protected]", "url": "https://security.netapp.com/advisory/ntap-20240628-0006/"}, {"source": "[email protected]", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/protobufjs/protobuf.js/pull/1899"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240628-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "protobufjs: prototype pollution using user-controlled protobuf message", "id": "2220812", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2220812"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-1321", "details": ["\"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.", "A flaw was found in the protobuf.js. The affected versions of protobuf.js could allow a remote attacker to execute arbitrary code on the system caused by prototype pollution. By sending a specially crafted message, an attacker can execute arbitrary code on the system."], "name": "CVE-2023-36665", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Not affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2023-07-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-36665\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-36665\nhttps://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665"], "statement": "For Red Hat Enterprise Linux, Protobufjs in Grafana are used for communication with trusted sources (prometheus/openmetrics scraping), end-user communication is over HTTP. While this CVE is in Grafana (rhel-8, rhel-9), it will be resolved via a Grafana rebase. Hence, it is marked as wontfix.", "threat_severity": "Moderate"}