GHSA-fj58-h2fr-3pp2

Source

https://github.com/advisories/GHSA-fj58-h2fr-3pp2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-fj58-h2fr-3pp2/GHSA-fj58-h2fr-3pp2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fj58-h2fr-3pp2

Aliases

CVE-2019-18413

Published

2021-10-12T16:35:45Z

Modified

2023-11-08T04:01:25.903566Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

SQL Injection and Cross-site Scripting in class-validator

Details

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

Database specific

{
    "nvd_published_at": "2019-10-24T18:15:00Z",
    "github_reviewed_at": "2021-10-08T23:11:08Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79",
        "CWE-89"
    ]
}

References

Affected packages

npm / class-validator

Package

Name: class-validator; View open source insights on deps.dev
Purl: pkg:npm/class-validator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.14.0