Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency protobufjs to v6.11.4 [SECURITY] #67

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Mar 27, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
protobufjs (source) 6.10.2 -> 6.11.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25878

The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.

This vulnerability can occur in multiple ways:

  1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
  2. by parsing/loading .proto files

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.


Release Notes

protobufjs/protobuf.js (protobufjs)

v6.11.4

Compare Source

v6.11.3

Compare Source

6.11.3 (2022-05-20)
Bug Fixes

v6.11.2

Compare Source

6.11.2 (2021-04-30)
  • regenerated index.d.ts to fix the unintended breaking change in types.

v6.11.1

Compare Source

6.11.1 (2021-04-29)
Bug Fixes

v6.11.0

Compare Source

6.11.0 (2021-04-28)

Features
Bug Fixes
Dependencies

v6.10.3

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sorry, something went wrong.

@renovate renovate bot changed the title Update dependency protobufjs to v6.10.3 [SECURITY] Update dependency protobufjs to v7 [SECURITY] Jul 7, 2023
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 696e6b9 to 3f95314 Compare July 7, 2023 21:26
@renovate renovate bot changed the title Update dependency protobufjs to v7 [SECURITY] Update dependency protobufjs to v6.10.3 [SECURITY] Aug 15, 2023
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 3f95314 to 6a48a00 Compare August 15, 2023 21:21

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
@renovate renovate bot changed the title Update dependency protobufjs to v6.10.3 [SECURITY] Update dependency protobufjs to v6.11.4 [SECURITY] Aug 16, 2023
@renovate renovate bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 6a48a00 to c022755 Compare August 16, 2023 00:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

0 participants