Fix CVE–2020–7598

[debricked-staging]

CVE–2020–7598

Vulnerable dependency:     minimist (Yarn)    0.0.10

Vulnerability details

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

GitHub

Prototype Pollution in minimist

Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.

Recommendation

Upgrade to versions 0.2.1, 1.2.3 or later.

NVD

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

CVSS details - 5.6

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity	Low
Availability	Low

References

    NVD - CVE-2020-7598
    Prototype Pollution in minimist · CVE-2020-7598 · GitHub Advisory Database · GitHub
    [security-announce] openSUSE-SU-2020:0802-1: critical: Security update for nodejs8 - openSUSE Security Announce - openSUSE Mailing Lists
    don't assign onto proto · substack/minimist@63e7ed0 · GitHub
    even more aggressive checks for protocol pollution · substack/minimist@38a4d1c · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE