Critical security vulnerability CVE-2023-36665 needs to be corrected by upgrading protobufjs library to 7.2.5 or higher within gax library dependency in package.json file. #1924
Labels
api: pubsub
Issues related to the googleapis/nodejs-pubsub API.
priority: p2
Moderately-important priority. Fix may not be included in next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Comments
rgarmas89aws
added
priority: p2
product-auto-label
bot
added
the
api: pubsub
|
Pub/Sub includes gax 4.0.3, which already pulls in protobufjs 7.2.4 (probably by semver). Renovate isn't issuing PRs to upgrade to newer gax versions, and there's a newer one that explicitly pulls in 7.2.4, so that'd be good to have. Edit: Oh, I misread. 7.2.4 is no good either. |
feywind
added
priority: p3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(feywind edited for brevity)
Environment details
@google-cloud/pubsubversion: 4.3.3Steps to reproduce
See vulnerability details in: GHSA-h755-8qp9-cq85
protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype. = ...; whereas CVE-2022-25878 was about Object.proto. = ...; instead.
Attack scenario
An external attacker for exposed endpoints.
The text was updated successfully, but these errors were encountered: