gctools icon indicating copy to clipboard operation
gctools copied to clipboard

Published 20 hours ago verified publisher icon TryGhost

Fix Prototype Pollution vulnerability in tough-cookie

Open camgrimsec opened this issue 10 months ago • 0 comments

Description:

Introduction: This PR addresses a vulnerability in the tough-cookie package, specifically related to Prototype Pollution. This vulnerability is identified with a CVSS score of 6.5 (Medium Severity) by Snyk and 9.8 (Critical Severity) by NVD.

Details: The vulnerability is introduced through @tryghost/[email protected] and @tryghost/[email protected], and it affects versions of tough-cookie prior to 4.1.3.

Exploit Maturity: The exploit maturity is identified as Proof of Concept.

Detailed Paths:

Introduced through: [email protected] › @tryghost/[email protected][email protected][email protected][email protected][email protected]
Introduced through: [email protected] › @tryghost/[email protected] › @tryghost/[email protected][email protected][email protected][email protected][email protected]

Security Information:

Snyk: CVSS 6.5 - Medium Severity
NVD: CVSS 9.8 - Critical Severity

Overview: tough-cookie is a RFC6265 Cookies and CookieJar module for Node.js.

Vulnerability Description: Affected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. Due to an issue with the manner in which the objects are initialized, an attacker can expose or modify a limited amount of property information on those objects. There is no impact to availability.

Remediation: Upgrade to version 4.1.3 or later of tough-cookie to fix this vulnerability. Unfortunately, there is no remediation path available for previous versions.

Proposed Changes: Update the dependency on tough-cookie to version 4.1.3 or later in the package.json file.

Testing: After updating the dependency, ensure that all existing functionality continues to work as expected. Perform thorough testing to verify that the vulnerability has been mitigated.

Additional Notes: Ensure that the updated version of tough-cookie is compatible with other dependencies and does not introduce any new issues.

camgrimsec avatar Mar 30 '24 09:03 camgrimsec