Vulnerability Details : CVE-2023-26136
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Products affected by CVE-2023-26136
- cpe:2.3:a:salesforce:tough-cookie:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-26136
0.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-26136
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
Snyk |
CWE ids for CVE-2023-26136
-
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Assigned by:
- nvd@nist.gov (Primary)
- report@snyk.io (Secondary)
References for CVE-2023-26136
-
https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html
[SECURITY] [DLA 3488-1] node-tough-cookie security update
-
https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
Release 4.1.3 · salesforce/tough-cookie · GitHubRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/
[SECURITY] Fedora 39 Update: yarnpkg-1.22.21-2.fc39 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20240621-0006/
February 2024 IBM Cognos Analytics Vulnerabilities in NetApp Products | NetApp Product Security
-
https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
Prevent prototype pollution in cookie memstore (#283) · salesforce/tough-cookie@12d4747 · GitHubPatch
-
https://github.com/salesforce/tough-cookie/issues/282
Security Risk · Issue #282 · salesforce/tough-cookie · GitHubExploit;Issue Tracking;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/
[SECURITY] Fedora 38 Update: yarnpkg-1.22.21-2.fc38 - package-announce - Fedora Mailing-Lists
-
https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
Prototype Pollution in tough-cookie | CVE-2023-26136 | SnykExploit;Technical Description;Third Party Advisory
Jump to