Homepage
About Snyk

Prototype Pollution Affecting appwrite/server-ce package, versions >=0.12.0, <0.12.2 <0.11.1

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    1.48% (87th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-APPWRITESERVERCE-2401820
  • published 16 Feb 2022
  • disclosed 24 Jan 2022
  • credit Alessio Della Libera of Snyk Research Team
Report a new vulnerability Found a mistake?

Introduced: 24 Jan 2022

CVE-2021-23682 Open this link in a new tab
CWE-1321 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade appwrite/server-ce to version 0.12.2, 0.11.1 or higher.

Overview

appwrite/server-ce is an End to end backend server for frontend and mobile apps.

Affected versions of this package are vulnerable to Prototype Pollution. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability.

PoC

  1. add the following query string ?__proto__[polluted]=yes

  2. open the browser developer console. The property polluted has value yes

CVSS Scores

version 3.1
Expand this section

Snyk

7.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low
Expand this section

NVD

9.8 critical