Strix
26.1K

CVE-2023-0163

HIGHCVSS 8.4/10EPSS 0.27%

Last modified

CVE-2023-0163 is a high-severity vulnerability rated 8.4/10 on the CVSS scale. Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. EPSS estimates a 0.27% chance of exploitation in the next 30 days.

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still, a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files. This issue affects Convict: before 6.2.4.

Metrics

CVSS 3.1
8.4/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.27%

19.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
MozillaConvict< 6.2.4

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2023-0163?
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still, a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files. This issue affects Convict: before 6.2.4.
How severe is CVE-2023-0163?
CVE-2023-0163 has a CVSS score of 8.4/10 (HIGH severity). The EPSS model estimates a 0.27% probability of exploitation in the next 30 days.
How do I fix CVE-2023-0163?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-0163?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST