Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2022-21803

CVE-2022-21803:
Prototype Pollution in nconf

7.3

CVSS Score

Basic Information

CVE ID
CVE-2022-21803
GHSA ID
GHSA-6xwr-q98w-rvg7
EPSS Score
-
CWE
CWE-1321
Published
4/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
nconfnpm< 0.11.40.11.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability documentation explicitly identifies the .set() function as the vulnerable entry point. 2. The GitHub PR #397 shows security fixes were made to the memory store implementation. 3. The CVE description confirms the memory engine is affected. 4. Prototype pollution typically occurs in functions that recursively set nested properties without prototype checks. 5. The patch version 0.11.4 would have contained the fix for these specific functions in the memory store implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

n*on* ***or* *.**.*. W**n usin* t** m*mory *n*in*, it is possi*l* to stor* * n*st** JSON r*pr*s*nt*tion o* t** *on*i*ur*tion. T** .s*t() *un*tion, t**t is r*sponsi*l* *or s*ttin* t** *on*i*ur*tion prop*rti*s, is vuln*r**l* to Prototyp* Pollution. *y

Reasoning

*. T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s t** .s*t() *un*tion *s t** vuln*r**l* *ntry point. *. T** *it*u* PR #*** s*ows s**urity *ix*s w*r* m*** to t** m*mory stor* impl*m*nt*tion. *. T** *V* **s*ription *on*irms t** m*mory *n*in* is