Improper Control of Dynamically-Managed Code Resources in protobuf.js

#VU64865 Improper Control of Dynamically-Managed Code Resources in protobuf.js

Published: 2022-07-04

Vulnerability identifier: #VU64865

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25878

CWE-ID: CWE-913

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
protobuf.js
Universal components / Libraries / Programming Languages & Components

Vendor: protobuf.js

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to Prototype Pollution error in protobufjs. A remote unauthenticated attacker can provide an untrusted user input to the util.setProperty or to the ReflectionObject.setParsedOption functions, and also by parse/load .proto files to modify data on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

protobuf.js: 6.0.0 - 6.11.2

External links
http://github.com/protobufjs/protobuf.js/pull/1731
http://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197
http://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f
http://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Multiple vulnerabilities in IBM Engineering Requirements Quality Assistant On-Premises

Multiple vulnerabilities in Netcool Operations Insight

Multiple vulnerabilities in IBM Cloud Pak for Business Automation