CVE-2023-26136

CVSS V2 None CVSS V3 None

Description

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Overview

CVE ID
CVE-2023-26136

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2023-07-01T05:00:01.115Z

Last Modified Date
2023-07-01T05:00:01.115Z

Weakness Enumerations

CWE	URL
CWE-1321	http://cwe.mitre.org/data/definitions/1321.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
https://github.com/salesforce/tough-cookie/issues/282
https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/
https://security.netapp.com/advisory/ntap-20240621-0006/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26136
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 23:20:44				Added to TrackCVE