Vulnerability Description
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Convict | < 6.2.2 |
Related Weaknesses (CWE)
References
- https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af1Broken Link
- https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3aPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-CONVICT-2340604ExploitPatchThird Party Advisory
- https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af1Broken Link
- https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3aPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-CONVICT-2340604ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-22143?
CVE-2022-22143 is a vulnerability with a CVSS score of 7.5 (HIGH). The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of a...
How severe is CVE-2022-22143?
CVE-2022-22143 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-22143?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Convict.