Description

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.

Remediation

References

https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291

https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

Related Vulnerabilities

CVE-2022-23223 Vulnerability in maven package org.apache.shenyu:shenyu-common

CVE-2017-4971 Vulnerability in maven package org.springframework.webflow:spring-webflow

CVE-2023-29508 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livedata-macro

CVE-2019-10754 Vulnerability in maven package org.apereo.cas:cas-server-support-oauth-core-api

CVE-2023-32998 Vulnerability in maven package com.rapid7:jenkinsci-appspider-plugin

Severity

Low

Classification

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Patch Vendor Advisory NVD-CWE-noinfo