GHSA-wxgw-qj99-44c2
ADVISORY - githubSummary
Impact
forge.util.setPath
had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.
Patches
The forge.util.setPath
API and related functions were removed in 0.10.0.
Workarounds
Don't call forge.util.setPath
directly or indirectly with untrusted keys.
References
- https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
For more information
If you have any questions or comments about this advisory:
- Open an issue in forge.
- Email us at support@digitalbazaar.com.
Common Weakness Enumeration (CWE)
ADVISORY - gitlab
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-wxgw-qj99-44c2
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-