CVE-2021-23807
Type Confusion vulnerability in jsonpointer (npm)
What is CVE-2021-23807 About?
The `jsonpointer` package before version 5.0.0 is vulnerable to a Type Confusion issue. This flaw allows attackers to bypass a previous Prototype Pollution fix when pointer components are arrays. It can lead to unintended object modifications. Exploitation involves providing array-type pointer components that circumvent security checks.
Affected Software
- jsonpointer
- <5.0.0
- org.webjars.npm:json-pointer
- <5.0.0
Technical Details
The jsonpointer package, in versions prior to 5.0.0, contains a Type Confusion vulnerability that effectively bypasses a previously implemented Prototype Pollution fix. This occurs specifically when the pointer components used are arrays, rather than the expected scalar types. The underlying mechanism involves insufficient type validation or incorrect handling of array-type pointer components by the library's internal logic. When an array is provided where a string or other scalar is anticipated, strict equality checks or type-dependent logic might be circumvented, allowing an attacker to inject and manipulate properties on the Object.prototype in a manner that the original Prototype Pollution fix intended to prevent. This leads to unintended alterations of object properties throughout the application.
What is the Impact of CVE-2021-23807?
Successful exploitation may allow attackers to bypass security mechanisms designed to prevent prototype pollution. This can lead to unintended object property modifications, potentially enabling arbitrary code execution or other destructive behavior within the application.
What is the Exploitability of CVE-2021-23807?
Exploitation of this Type Confusion vulnerability requires an attacker to supply array-type pointer components to the jsonpointer package. The complexity is moderate, as it requires the attacker to understand how to influence the input to the jsonpointer library, specifically ensuring that pointer components are arrays. There are no explicit authentication or privilege requirements to trigger the vulnerability. The attack can be remote if the application processes untrusted user input that eventually feeds into the jsonpointer library. The main risk factor is applications that use jsonpointer with unsanitized user-provided input, allowing for array-type pointer components where scalar types are expected.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23807?
About the Fix from Resolved Security
The patch prevents prototype pollution by blocking attempts to set object properties on dangerous paths like "proto", "constructor", or "prototype" at any level, and validates that pointer array segments are only strings or numbers. This fixes CVE-2021-23807 by ensuring attackers cannot exploit JSON pointer manipulation to modify Object prototypes, which would otherwise allow arbitrary property injection and compromise application security.
Available Upgrade Options
- jsonpointer
- <5.0.0 → Upgrade to 5.0.0
- org.webjars.npm:json-pointer
- <5.0.0 → Upgrade to 5.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-282f-qqgm-c34q
- https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577288
- https://nvd.nist.gov/vuln/detail/CVE-2021-23807
- https://github.com/janl/node-jsonpointer/commit/a0345f3550cd9c4d89f33b126390202b89510ad4
- https://github.com/janl/node-jsonpointer/pull/51
- https://github.com/janl/node-jsonpointer/pull/51
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910273
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910273
- https://github.com/janl/node-jsonpointer
- https://github.com/janl/node-jsonpointer/commit/a0345f3550cd9c4d89f33b126390202b89510ad4
What are Similar Vulnerabilities to CVE-2021-23807?
Similar Vulnerabilities: CVE-2021-23436 , CVE-2020-28477 , CVE-2021-23386 , CVE-2020-7699 , CVE-2020-7712
