Summary

Article Metadata

Prototype Pollution JavaScript Vulnerability

This is a news story, published by VisionSpace, that relates primarily to Vulnerability Assessment news.

Vulnerability Assessment news

For more Vulnerability Assessment news, you can click here:

more Vulnerability Assessment news

News about operating systems

For more operating systems news, you can click here:

more operating systems news

VisionSpace news

For more news from VisionSpace, you can click here:

more news from VisionSpace

About the Otherweb

Otherweb, Inc is a public benefit corporation, dedicated to improving the quality of news people consume. We are non-partisan, junk-free, and ad-free. We use artificial intelligence (AI) to remove junk from your news feed, and allow you to select the best tech news, business news, entertainment news, and much more. If you like this article about operating systems, you might also like this article about

JavaScript Prototype Pollution

. We are dedicated to bringing you the highest-quality news, junk-free and ad-free, about your favorite topics. Please come every day to read the latest Prototype Pollution news, side prototype pollution news, news about operating systems, and other high-quality news about any topic that interests you. We are working hard to create the best news aggregator on the web, and to put you in control of your news feed - whether you choose to read the latest news through our website, our news app, or our daily newsletter - all free!

Prototype Pollution vulnerability

VisionSpace

•

Prototype Pollution in NASAs Open MCT CVE-2023-45282

Summary

Nutrition label

72% Informative

Prototype Pollution vulnerability is specific to the JavaScript programming language.

It enables an attacker to add or alter any properties of global object prototypes.

Once the property is changed, the code that inherits it will use the injected property instead of the original one.

This can be a very dangerous vulnerability that could (at best) cause a change in the client side of the application business logic or (at worst) a Remote Code Execution on the server side.

Vulnerability Assessment focused on the Open MCT software in the context of a particular class of vulnerabilities characteristic of JavaScript for front- and back-end applications.

The vulnerability was communicated to NASA and promptly fixed by their development team.

The problem was also reported to MITRE and can be tracked by the ID CVE-2023-45282.

Prototype Pollution vulnerability can be mitigated by providing an additional check in the function responsible for object deep instantiation.

For instance, a condition could be introduced to verify whether the imported object has the explicit __proto__ property and delete it if it is true.

Using third -party libraries for deep copy/merge/clone of JavaScript objects is generally recommended.

VR Score

Informative language

Neutral language

Article tone

formal

Language

English

Language complexity

Offensive language

possibly offensive

Hate speech

not hateful

Attention-grabbing headline

not detected

Known propaganda techniques

not detected

Time-value

long-living

External references

https://www.linkedin.com/in/milenko-starcik-b7960b198/https://portswigger.net/web-security/prototype-pollution https://www.linkedin.com/in/andrzejolchawa/https://github.com/nasa/openmct https://www.cve.org/CVERecord?id=CVE-2023-45282 https://github.com/nasa/openmct/pull/7094

Source diversity

www.linkedin.com portswigger.net github.com www.cve.org

Affiliate links

no affiliate links

Read full article