Debian Bug report logs -
#1027145
node-json5: CVE-2022-46175
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1027145; Package src:node-json5.
(Wed, 28 Dec 2022 16:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Wed, 28 Dec 2022 16:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-json5
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-json5.
CVE-2022-46175[0]:
| JSON5 is an extension to the popular JSON file format that aims to be
| easier to write and maintain by hand (e.g. for config files). The
| `parse` method of the JSON5 library before and including version
| `2.2.1` does not restrict parsing of keys named `__proto__`, allowing
| specially crafted strings to pollute the prototype of the resulting
| object. This vulnerability pollutes the prototype of the object
| returned by `JSON5.parse` and not the global Object prototype, which
| is the commonly understood definition of Prototype Pollution. However,
| polluting the prototype of a single object can have significant
| security impact for an application if the object is later used in
| trusted operations. This vulnerability could allow an attacker to set
| arbitrary and unexpected keys on the object returned from
| `JSON5.parse`. The actual impact will depend on how applications
| utilize the returned object and how they filter unwanted keys, but
| could include denial of service, cross-site scripting, elevation of
| privilege, and in extreme cases, remote code execution. `JSON5.parse`
| should restrict parsing of `__proto__` keys when parsing JSON strings
| to objects. As a point of reference, the `JSON.parse` method included
| in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse`
| to `JSON.parse` in the examples above mitigates this vulnerability.
| This vulnerability is patched in json5 version 2.2.2 and later.
https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
https://github.com/json5/json5/issues/199
https://github.com/json5/json5/issues/295
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46175
https://www.cve.org/CVERecord?id=CVE-2022-46175
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 28 Dec 2022 19:45:03 GMT) (full text, mbox, link).
Marked as found in versions node-json5/2.2.1+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 28 Dec 2022 20:27:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 29 16:36:26 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon