Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13eGd3LXFqOTktNDRjMs0hQQ
Prototype Pollution in node-forge util.setPath API
Impact
forge.util.setPath
had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.
Patches
The forge.util.setPath
API and related functions were removed in 0.10.0.
Workarounds
Don't call forge.util.setPath
directly or indirectly with untrusted keys.
References
- https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
For more information
If you have any questions or comments about this advisory:
- Open an issue in forge.
- Email us at [email protected].
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13eGd3LXFqOTktNDRjMs0hQQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-wxgw-qj99-44c2
References:
- https://github.com/digitalbazaar/forge/security/advisories/GHSA-wxgw-qj99-44c2
- https://github.com/advisories/GHSA-wxgw-qj99-44c2
Blast Radius: 0.0
Affected Packages
npm:node-forge
Dependent packages: 2,329Dependent repositories: 3,039,204
Downloads: 81,007,705 last month
Affected Version Ranges: < 0.10.0
Fixed in: 0.10.0
All affected versions: 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.17, 0.2.18, 0.2.19, 0.2.20, 0.2.21, 0.2.22, 0.2.23, 0.2.24, 0.2.25, 0.2.26, 0.2.27, 0.2.28, 0.2.29, 0.2.30, 0.2.31, 0.2.32, 0.2.33, 0.2.34, 0.2.35, 0.2.36, 0.2.37, 0.3.0, 0.4.1, 0.4.2, 0.4.3, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.14, 0.6.16, 0.6.18, 0.6.19, 0.6.20, 0.6.21, 0.6.22, 0.6.23, 0.6.24, 0.6.25, 0.6.26, 0.6.27, 0.6.28, 0.6.29, 0.6.30, 0.6.31, 0.6.32, 0.6.33, 0.6.34, 0.6.35, 0.6.37, 0.6.38, 0.6.39, 0.6.40, 0.6.41, 0.6.42, 0.6.43, 0.6.44, 0.6.45, 0.6.46, 0.6.47, 0.6.48, 0.6.49, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.0, 0.9.1, 0.9.2
All unaffected versions: 0.10.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1