CVE-2023-26136

tough-cookie: prototype pollution in cookie memstore

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NVD
RedHat

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

A flaw was found in the tough-cookie package which allows Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

*Credits: Kokorin Vsevolod

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-02-20 CVE Reserved
2023-07-01 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-11-01 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CAPEC

References (10)

URL	Tag	Source
https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3	Release Notes
https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ
https://security.netapp.com/advisory/ntap-20240621-0006

URL	Date	SRC
https://github.com/salesforce/tough-cookie/issues/282	2024-08-02
https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873	2024-08-02

URL	Date	SRC
https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e	2024-06-21

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-26136	2024-10-30
https://bugzilla.redhat.com/show_bug.cgi?id=2219310	2024-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Salesforce Search vendor "Salesforce"		Tough-cookie Search vendor "Salesforce" for product "Tough-cookie"				< 4.1.3 Search vendor "Salesforce" for product "Tough-cookie" and version " < 4.1.3"		node.js		Affected