EIQ-2020-0009



ID

EIQ-2020-0009

CVE

CVE-2020-7598

Description

minimist enables prototype pollution

Date

12 Mar 2020

Severity

2 - MEDIUM

(Snyk score)

CVSSv3 score

5.6

(Snyk score)

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0

Assessment

minimist versions 1.2.1 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability in the recursive merge function execution.

An attacker could add or modify object prototype properties of Object.prototype with a constructor or a __proto__ payload.
Modified properties are propagated to all objects through inheritance.

An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack.

Mitigation

  • Upgrade to EclecticIQ Platform 2.7.0 or later.

    At the moment, it is not possible to globally upgrade minimist, because it occurs at least once as a sub-dependency.
    Sub-dependencies are indirect dependencies of other third-party dependencies.

    We cannot control these dependencies.
    We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

  • Restrict network access to only trusted users.

  • Do not allow network access to untrusted users or sources.

Affected versions

2.6.0 and earlier.

Notes

For more information, see:

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference  images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions


In release notes 2.7.0