CVE-2024-29131
Prototype pollution vulnerability in commons-configuration2 (Maven)
What is CVE-2024-29131 About?
This is a Prototype pollution vulnerability in the `resolveShims` function within `resolve-shims.js` of `thlorenz browserify-shim` version 3.8.15. It allows an attacker to inject arbitrary properties into JavaScript object prototypes. This can lead to remote code execution or denial of service and can be moderately easy to exploit if user-controlled input reaches the vulnerable function.
Affected Software
Technical Details
The vulnerability is a 'Prototype pollution' flaw in the resolveShims function located in resolve-shims.js of the thlorenz browserify-shim library, affecting version 3.8.15. Prototype pollution occurs when a malicious actor can add arbitrary properties to the Object.prototype (or other built-in constructors' prototypes), which then impacts all objects in the application's environment. Specifically, the vulnerability arises through the fullPath variable. An attacker can manipulate input that eventually becomes the fullPath variable to inject properties like __proto__ into an object, thereby modifying the global Object.prototype. This manipulation typically involves using specially crafted JSON or query string parameters that are recursively merged or assigned without proper validation of property names. Once the prototype is polluted, subsequent object creations or property lookups can be influenced by the attacker-controlled properties, potentially leading to denial of service, data tampering, or even remote code execution if sensitive application logic relies on these polluted properties in an unsafe manner.
What is the Impact of CVE-2024-29131?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, which can lead to denial of service, arbitrary code execution, or bypass of security mechanisms depending on the application context and subsequent operations.
What is the Exploitability of CVE-2024-29131?
Exploitation requires user-controlled input to reach the resolveShims function and manipulate the fullPath variable to inject __proto__ or similar properties. The complexity is moderate, as it depends on how user input is processed and whether it flows into the vulnerable function. There are typically no authentication or privilege requirements for the initial injection, although subsequent impacts might require existing application logic to trigger. This can be a remote vulnerability if the application exposes an endpoint that processes user input in a way that leads to the vulnerable function. Special conditions often involve specific JSON parsing or object merging operations. Risk factors include applications that accept unvalidated JSON input or query parameters and use the affected library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-29131?
Available Upgrade Options
- org.apache.commons:commons-configuration2
- >2.0, <2.10.1 → Upgrade to 2.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-xjp4-hw94-mvp5
- https://security.netapp.com/advisory/ntap-20241213-0001/
- https://issues.apache.org/jira/browse/CONFIGURATION-840
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7/
- https://security.netapp.com/advisory/ntap-20241213-0001
- https://github.com/apache/commons-configuration
- http://www.openwall.com/lists/oss-security/2024/03/20/4
- https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37
- https://nvd.nist.gov/vuln/detail/CVE-2024-29131
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7
What are Similar Vulnerabilities to CVE-2024-29131?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-29807 , CVE-2021-42036 , CVE-2020-13936 , CVE-2019-10098
