Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency protobufjs to v6.11.4 [SECURITY] #51

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency protobufjs to v6.11.4 [SECURITY] #51

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 18, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
protobufjs (source) 6.10.2 -> 6.11.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25878

The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.

This vulnerability can occur in multiple ways:

  1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
  2. by parsing/loading .proto files

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

Release Notes

protobufjs/protobuf.js (protobufjs)

v6.11.4

Compare Source

v6.11.3

Compare Source

6.11.3 (2022-05-20)
Bug Fixes

v6.11.2

Compare Source

6.11.2 (2021-04-30)
  • regenerated index.d.ts to fix the unintended breaking change in types.

v6.11.1

Compare Source

6.11.1 (2021-04-29)
Bug Fixes

v6.11.0

Compare Source

6.11.0 (2021-04-28)

Features
Bug Fixes
Dependencies

v6.10.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency protobufjs to 6.11.3 [SECURITY] Update dependency protobufjs to 6.10.3 [SECURITY] Sep 25, 2022
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from ee116f5 to 6287d05 Compare March 24, 2023 22:00
@renovate renovate bot changed the title Update dependency protobufjs to 6.10.3 [SECURITY] Update dependency protobufjs to v6.10.3 [SECURITY] Mar 24, 2023
@renovate renovate bot changed the title Update dependency protobufjs to v6.10.3 [SECURITY] Update dependency protobufjs to v7 [SECURITY] Jul 7, 2023
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 6287d05 to 0249163 Compare July 7, 2023 20:37
@renovate renovate bot changed the title Update dependency protobufjs to v7 [SECURITY] Update dependency protobufjs to v6.10.3 [SECURITY] Aug 15, 2023
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 0249163 to 26e326c Compare August 15, 2023 21:20
@renovate renovate bot changed the title Update dependency protobufjs to v6.10.3 [SECURITY] Update dependency protobufjs to v6.11.4 [SECURITY] Aug 16, 2023
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 26e326c to fce9a6f Compare August 16, 2023 01:15
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from fce9a6f to a46ef21 Compare December 3, 2023 10:20
@renovate renovate bot changed the title Update dependency protobufjs to v6.11.4 [SECURITY] Update dependency protobufjs to v6.11.4 [SECURITY] - autoclosed Apr 3, 2024
@renovate renovate bot closed this Apr 3, 2024
@renovate renovate bot deleted the renovate/npm-protobufjs-vulnerability branch April 3, 2024 13:22
@renovate renovate bot changed the title Update dependency protobufjs to v6.11.4 [SECURITY] - autoclosed Update dependency protobufjs to v6.11.4 [SECURITY] Apr 3, 2024
@renovate renovate bot reopened this Apr 3, 2024
@renovate renovate bot restored the renovate/npm-protobufjs-vulnerability branch April 3, 2024 15:25
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from a46ef21 to 85cc997 Compare April 3, 2024 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants