CVE-2023-30857
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version 0.6.1, there is a possible prototype pollution issue for the MetadataRecord, when merged with a base class' metadata object, in meta decorator from the @aedart/support package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via meta(). Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version 0.6.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| aedart | ion | < 0.6.1 | affected |
Weaknesses
- CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6
- https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6
- https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.