A query on advisory GHSA-x5r6-x823-9848 for CVE-2020-7766 and the minimum level with the fix

I think the advisory GHSA-x5r6-x823-9848 for CVE-2020-7766 is claiming the wrong minimal level. It claims that the fix is in json-ptr@2.1.0, but:

  • the CVE info that the advisory links to at NVD - CVE-2020-7766 claims the fix is in 2.0.0 (Known Affected Software Configurations => Up to (_excluding_) 2.0.0)
  • the original finding by Snyk at Prototype Pollution in json-ptr | Snyk claims the fix is in 2.0.0
  • I can run the recreate code from the Snyk link above and this shows the vulnerable code is in json-ptr@1.3.2, but json-ptr@2.0.0 contains the fix

I can’t find a way other than this community to ask whether the minimum version is really correct or not (given that it contradicts the original finding and the CVE)

1 Like

Latest thinking is that the vulnerability relating to json-ptr@2.1.0 is the one mentioned at json-ptr/README.md at 456a1728b45c8663bb1ac20a249c5fb17495ec6b · flitbit/json-ptr · GitHub and that vulnerability is not the same as CVE-2020-7766 (i.e. there are actually 2 vulnerabilities here, CVE-2020-7766 is fixed in 2.0.0 and another separate vulnerability is fixed in 2.1.0)

1 Like

:wave: Welcome!

Sorry for the confusion.

And yes, you’re right. There are two vulnerabilities. Because of the vulnerability in 2.0.0, that couldn’t be recommended as a safe version, so it was bumped up to 2.1.0 even though the tracked issue was fixed in 2.0.0.

1 Like

Gotcha, understood.

My next concern would be that I might read the description of the nature of the vulnerability in CVE-2020-7766 (which is quoted in the advisory on GitHub) and conclude that, if I’m not using the set function then I’m not technically vulnerable; I still have a version of the module that contains the vulnerability, but I’m not exercising the vulnerable area of that code.

This would be a false (and therefore unsafe) assumption because the actual vulnerability that is resolved in json-ptr@2.1.0 is in the get method. I may be using that function and unaware that there is this vulnerability in it…

1 Like

For anyone in the future that finds this thread, there are now two separate advisories: