Home > Vulnerability Database > CVE-2023-0163

Mend.io Vulnerability Database

CVE-2023-0163

Good to know:

Date: November 26, 2024

convict before 6.2.4 was discovered to contain a prototype pollution vulnerability. An attacker can inject attributes that are used in other components and can override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.

Language: JS

Severity Score

8.4

Related Resources (6)

Url: https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf

Url: https://github.com/mozilla/node-convict/issues/410

Url: https://github.com/mozilla/node-convict

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-0163

Url: https://github.com/mozilla/node-convict/commit/fb602fbe1e9f14f2e88ecb8179d0f76466d21ecb

Url: https://www.mend.io/vulnerability-database/CVE-2023-0163

Severity Score

8.4

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version convict - 6.2.4

Learn More

CVSS v3.1

Base Score:	8.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-0163

Good to know:

Date: November 26, 2024

Language: JS

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?