Miggo Logo
Miggo Vulnerability Database
CVE-2019-18954

CVE-2019-18954: Pomelo allows external control of critical state data

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-18954
GHSA ID
GHSA-4x6v-rwh4-55jw
EPSS Score
0.61691%
CWE
CWE-668
Published
12/2/2019
Updated
9/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
pomelonpm< 2.2.72.2.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Handler constructor directly assigning user-provided 'app' parameter to instance properties. The PoC demonstrates sending {get:{}} in requests to connector.entryHandler.constructor endpoint, which overwrites the get method. The lack of input validation/sanitization in the constructor allows property collision attacks. Runtime detection would show the Handler constructor processing malicious input when attackers attempt to overwrite internal attributes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pom*lo v*.*.* *llows *xt*rn*l *ontrol o* *riti**l st*t* **t*. * m*li*ious us*r input **n *orrupt *r*itr*ry m*t*o*s *n* *ttri*ut*s in `t*mpl*t*/**m*-s*rv*r/*pp/s*rv*rs/*onn**tor/**n*l*r/*ntry**n*l*r.js` ****us* **rt*in int*rn*l *ttri*ut*s **n ** ov*rw

Reasoning

T** vuln*r**ility st*ms *rom t** `**n*l*r` *onstru*tor *ir**tly *ssi*nin* us*r-provi*** '*pp' p*r*m*t*r to inst*n** prop*rti*s. T** Po* **monstr*t*s s*n*in* {**t:{}} in r*qu*sts to `*onn**tor.*ntry**n*l*r.*onstru*tor` *n*point, w*i** ov*rwrit*s t** `