tough-cookie <4.1.3 Prototype Pollution via CookieJar rejectPublicSuffixes=false
CVE-2023-26136 Published on July 1, 2023

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

NVD

Vulnerability Analysis

CVE-2023-26136 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a Prototype Pollution Vulnerability?

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CVE-2023-26136 has been classified to as a Prototype Pollution vulnerability or weakness.


Products Associated with CVE-2023-26136

Want to know whenever a new CVE is published for Salesforce Tough Cookie? stack.watch will email you.

Salesforce Tough Cookie
 

Exploit Probability

EPSS
6.25%
Percentile
91.06%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.