Vulnerabilities > CVE-2022-21803 - Unspecified vulnerability in Nconf Project Nconf
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
Vulnerable Configurations
References
- https://github.com/indexzero/nconf/pull/397
- https://github.com/indexzero/nconf/pull/397
- https://github.com/indexzero/nconf/releases/tag/v0.11.4
- https://github.com/indexzero/nconf/releases/tag/v0.11.4
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450
- https://snyk.io/vuln/SNYK-JS-NCONF-2395478
- https://snyk.io/vuln/SNYK-JS-NCONF-2395478