diff --git a/advisories/github-reviewed/2024/04/GHSA-jjff-q3q4-5hh8/GHSA-jjff-q3q4-5hh8.json b/advisories/github-reviewed/2024/04/GHSA-jjff-q3q4-5hh8/GHSA-jjff-q3q4-5hh8.json index ff2f252b36f24..4ab90c8a8463d 100644 --- a/advisories/github-reviewed/2024/04/GHSA-jjff-q3q4-5hh8/GHSA-jjff-q3q4-5hh8.json +++ b/advisories/github-reviewed/2024/04/GHSA-jjff-q3q4-5hh8/GHSA-jjff-q3q4-5hh8.json @@ -1,64 +1,66 @@ { - "schema_version": "1.4.0", - "id": "GHSA-jjff-q3q4-5hh8", - "modified": "2024-04-18T16:58:17Z", - "published": "2024-04-18T15:30:49Z", - "aliases": [ - "CVE-2024-30564" - ], - "summary": "@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability", - "details": "An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method.", - "severity": [], - "affected": [ - { - "package": { - "ecosystem": "npm", - "name": "@andrei-tatar/nora-firebase-common" - }, - "ranges": [ + "schema_version": "1.4.0", + "id": "GHSA-jjff-q3q4-5hh8", + "modified": "2026-05-06T00:00:00Z", + "published": "2024-04-01T00:00:00Z", + "aliases": [ + "CVE-2024-30564" + ], + "summary": "@andrei-tatar/nora-firebase-common - CVE-2024-30564", + "details": "A prototype pollution vulnerability exists in `@andrei-tatar/nora-firebase-common` between versions 1.0.41 and 1.12.2. A remote attacker can send a crafted payload that manipulates the `__proto__` property of JavaScript objects, injecting arbitrary properties onto `Object.prototype`. This affects all objects in the runtime and can lead to privilege escalation, remote code execution, or application logic bypass depending on how prototype properties are consumed downstream.\n\nThe vulnerability stems from insufficient key sanitization when merging or processing untrusted input objects. Version 1.12.3 addresses the issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.41" + "package": { + "ecosystem": "npm", + "name": "@andrei-tatar/nora-firebase-common" }, - { - "fixed": "1.12.3" - } - ] + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.41" + }, + { + "fixed": "1.12.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30564" + }, + { + "type": "PACKAGE", + "url": "https://www.npmjs.com/package/@andrei-tatar/nora-firebase-common" } - ] - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30564" - }, - { - "type": "WEB", - "url": "https://github.com/andrei-tatar/nora-firebase-common/issues/9" - }, - { - "type": "WEB", - "url": "https://github.com/andrei-tatar/nora-firebase-common/commit/bf30b75d51be04f6c1f884561a223226c890f01b" - }, - { - "type": "WEB", - "url": "https://gist.github.com/mestrtee/5dc2c948c2057f98d3de0a9790903c6c" - }, - { - "type": "PACKAGE", - "url": "https://github.com/andrei-tatar/nora-firebase-common" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-1321" ], - "severity": "HIGH", - "github_reviewed": true, - "github_reviewed_at": "2024-04-18T16:58:17Z", - "nvd_published_at": "2024-04-18T15:15:30Z" - } -} \ No newline at end of file + "credits": [ + { + "name": "Cutter Bruce", + "contact": [ + "https://github.com/TheeCryptoChad" + ], + "type": "ANALYST" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1321" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-01-01T00:00:00Z", + "nvd_published_at": "2024-04-01T00:00:00Z" + } +}