An attacker can inject code into an object and have it appear as if it comes from the object's own constructor. This technique has been previously abused by the CSP team to achieve CSP bypass. Code can also be injected into objects that are being inherited, allowing for code execution on the object's behalf.

All versions of package dml are vulnerable to Prototype Pollution via 'dml/patch' and 'dml/unpatch' modes. By crafting a malicious object, it is possible to bypass these checks and achieve prototype pollution.

To discover if an installation is vulnerable, run the following command:

$ python -m dml --check-version dml/patch

All versions of package dplyr are vulnerable to Prototype Pollution via 'dplyr/select' and 'dplyr/filter' modes. By crafting a malicious object, it is possible to bypass these checks and achieve prototype pollution.

To discover if an installation is vulnerable, run the following command:

$ python -m dplyr --check-version dplyr/select

DML: 'patch' mode

By crafting a malicious object, it is possible to bypass these checks and achieve prototype pollution.

To discover if an installation is vulnerable, run the following command:

$ python -m dml --check-version dml/patch

Python 3.x is not vulnerable to this type of attack

Python 3.x was tested and is not vulnerable to this type of attack.

DML/PATCH VULNERABILITY

It is possible to bypass DML's 'dml/patch' check and achieve prototype pollution. To discover if an installation is vulnerable, run the following command:

$ python -m dml --check-version dml/patch

Timeline

Published on: 05/01/2022 16:15:00 UTC
Last modified on: 05/11/2022 16:18:00 UTC

References