CVE-2019-18413

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-18413

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18413.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-18413

Aliases

GHSA-fj58-h2fr-3pp2

Withdrawn

2024-05-15T05:33:17.042978Z

Published

2019-10-24T18:15:11Z

Modified

2023-11-29T07:19:10.366333Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

References

Affected packages

Git / github.com/typestack/class-validator

Affected ranges

Type: GIT
Repo: https://github.com/typestack/class-validator
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

b4c77810b1010b24261c2ea65b99a9d920a33992

Affected versions

0.*

0.10.0

0.10.0-rc.0

0.10.0-rc.1

v0.*

v0.10.0

v0.10.0-rc.0

v0.10.0-rc.1

v0.10.1

v0.10.2

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.9.0

v0.9.1