=====================================================================

                             CERT-Renater

                   Note d'Information No. 2021/VULN165
_____________________________________________________________________

DATE                : 21/04/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Convict versions prior to 6.2.2.

=====================================================================
https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g
_____________________________________________________________________

Prototype Pollution in convict
High     clouserw published GHSA-x2w5-725j-gf2g yesterday


Package              convict ( npm )

Affected versions    < 6.2.2

Patched versions
6.2.2


Description

Impact

     An attacker can inject attributes that are used in other components
     An attacker can override existing attributes with ones that have 
incompatible type, which may lead to a crash.

The main use case of Convict is for handling server-side configurations 
written by the admins owning the servers, and not random users. So it's 
unlikely that an admin would deliberately sabotage their own server. 
Still a situation can happen where an admin not knowledgeable about 
JavaScript could be tricked by an attacker into writing the malicious 
JavaScript code into some config files.


Patches

The problem is patched in convict@6.2.2. Users should upgrade to 
convict@6.2.2.


Workarounds

No way for users to fix or remediate the vulnerability without upgrading


References

     https://www.huntr.dev/bounties/1-npm-convict/
     #384
     3b86be0


For more information

If you have any questions or comments about this advisory:
add your question as a comment in #384

CVE ID
CVE-2022-22143

GHSA ID
GHSA-x2w5-725j-gf2g

CWEs
CWE-1321

CVSS Score
8.4 High
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credits

     @cristianstaicu cristianstaicu Cristian-Alexandru STAICU
     @arjunshibu arjunshibu Arjun Shibu



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================