CVE-2020-28282
Prototype pollution vulnerability in getobject
What is CVE-2020-28282 About?
This vulnerability is a Prototype Pollution flaw in 'getobject' version 0.1.0. It enables an attacker to modify object prototypes, potentially leading to denial of service or remote code execution. The exploit path is straightforward, typically requiring controlled input to the vulnerable function.
Affected Software
Technical Details
The 'getobject' library version 0.1.0 is affected by a Prototype Pollution vulnerability. This occurs when an attacker can supply input that includes the '__proto__' property, which then gets processed in a way that allows its values to be written directly to 'Object.prototype'. By manipulating 'Object.prototype', an attacker can inject new properties or overwrite existing ones, affecting the behavior of all objects in the application. This can lead to unexpected program flow, crashes (denial of service), or execution of arbitrary code if carefully crafted.
What is the Impact of CVE-2020-28282?
Successful exploitation may allow attackers to conduct denial of service attacks by corrupting object prototypes, and in some cases, achieve remote code execution by injecting malicious properties or functions.
What is the Exploitability of CVE-2020-28282?
Exploitation involves crafting malicious input with '__proto__' properties and ensuring it is processed by the vulnerable 'getobject' function. The complexity is low, as it relies on input manipulation. There are typically no specific authentication or privilege requirements, as the vulnerability usually manifests in input parsing. This can be a remote or local attack depending on how the input is received. The main constraint is the ability to control input that eventually reaches the 'getobject' function. Applications processing untrusted JSON or similar data structures are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28282?
About the Fix from Resolved Security
This patch prevents the set function from assigning values to the proto property, blocking prototype pollution attacks. By adding a check that returns early if 'proto' appears in the property path, it mitigates the vulnerability described in CVE-2020-28282, which allowed attackers to manipulate object prototypes and potentially impact application security.
Available Upgrade Options
- getobject
- <1.0.0 → Upgrade to 1.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/cowboy/node-getobject
- https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282
- https://osv.dev/vulnerability/GHSA-957j-59c2-j692
- https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48
- https://nvd.nist.gov/vuln/detail/CVE-2020-28282
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282
What are Similar Vulnerabilities to CVE-2020-28282?
Similar Vulnerabilities: CVE-2020-7637 , CVE-2020-28503 , CVE-2020-7660 , CVE-2019-11358 , CVE-2019-10747
