HttpRequest Header Encoding Flaw Enables Prototype Pollution in Edge JS
CVE-2024-42330 Published on November 27, 2024
JS - Internal strings in HTTP headers
The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. This allows to create internal strings that can be used to access hidden properties of objects.
Vulnerability Analysis
CVE-2024-42330 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Use of Externally-Controlled Format String
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.
Products Associated with CVE-2024-42330
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-42330 are published in these products:
Affected Versions
Zabbix:- Version 6.0.0, <= 6.0.33 is affected.
- Version 6.4.0, <= 6.4.18 is affected.
- Version 7.0.0, <= 7.0.3 is affected.
- Version 6.0.0, <= 6.0.33 is affected.
- Version 6.4.0, <= 6.4.18 is affected.
- Version 7.0.0, <= 7.0.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.