You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introduction:
This PR addresses a vulnerability in the tough-cookie package, specifically related to Prototype Pollution. This vulnerability is identified with a CVSS score of 6.5 (Medium Severity) by Snyk and 9.8 (Critical Severity) by NVD.
Details:
The vulnerability is introduced through @tryghost/[email protected] and @tryghost/[email protected], and it affects versions of tough-cookie prior to 4.1.3.
Exploit Maturity:
The exploit maturity is identified as Proof of Concept.
Overview:
tough-cookie is a RFC6265 Cookies and CookieJar module for Node.js.
Vulnerability Description:
Affected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. Due to an issue with the manner in which the objects are initialized, an attacker can expose or modify a limited amount of property information on those objects. There is no impact to availability.
Remediation:
Upgrade to version 4.1.3 or later of tough-cookie to fix this vulnerability. Unfortunately, there is no remediation path available for previous versions.
Proposed Changes:
Update the dependency on tough-cookie to version 4.1.3 or later in the package.json file.
Testing:
After updating the dependency, ensure that all existing functionality continues to work as expected. Perform thorough testing to verify that the vulnerability has been mitigated.
Additional Notes:
Ensure that the updated version of tough-cookie is compatible with other dependencies and does not introduce any new issues.
The text was updated successfully, but these errors were encountered:
Description:
Introduction:
This PR addresses a vulnerability in the tough-cookie package, specifically related to Prototype Pollution. This vulnerability is identified with a CVSS score of 6.5 (Medium Severity) by Snyk and 9.8 (Critical Severity) by NVD.
Details:
The vulnerability is introduced through @tryghost/[email protected] and @tryghost/[email protected], and it affects versions of tough-cookie prior to 4.1.3.
Exploit Maturity:
The exploit maturity is identified as Proof of Concept.
Detailed Paths:
Security Information:
Overview:
tough-cookie is a RFC6265 Cookies and CookieJar module for Node.js.
Vulnerability Description:
Affected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. Due to an issue with the manner in which the objects are initialized, an attacker can expose or modify a limited amount of property information on those objects. There is no impact to availability.
Remediation:
Upgrade to version 4.1.3 or later of tough-cookie to fix this vulnerability. Unfortunately, there is no remediation path available for previous versions.
Proposed Changes:
Update the dependency on tough-cookie to version 4.1.3 or later in the package.json file.
Testing:
After updating the dependency, ensure that all existing functionality continues to work as expected. Perform thorough testing to verify that the vulnerability has been mitigated.
Additional Notes:
Ensure that the updated version of tough-cookie is compatible with other dependencies and does not introduce any new issues.
The text was updated successfully, but these errors were encountered: