CVE-2023-30857

CVSS V2 None CVSS V3 None

Description

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.

Overview

CVE ID
CVE-2023-30857

Assigner
security-advisories@github.com

Vulnerability Status
Received

Published Version
2023-04-28T21:15:09

Last Modified Date
2023-04-28T21:15:09

Weakness Enumerations

CWE	URL
CWE-1321	http://cwe.mitre.org/data/definitions/1321.html

References

Reference URL	Reference Tags
https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291
https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-30857
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30857

History

Created	Old Value	New Value	Data Type	Notes
2023-04-28 22:00:48				Added to TrackCVE
2023-04-28 22:00:49			Weakness Enumeration	new