Lucene search

SnykCVE-2021-23396

HistoryJun 17, 2021 - 5:15 p.m.

CVE-2021-23396

2021-06-1717:15:07

CWE-1321

snyk

web.nvd.nist.gov

cve

2021

23396

lutils

package

vulnerable

prototype pollution

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.005

Percentile

76.2%

JSON

All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.

Affected configurations

Nvd

Node

lutils_projectlutilsnode.js

VendorProductVersionCPE
lutils_projectlutils*cpe:2.3:a:lutils_project:lutils:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
lutils_project	lutils	*	cpe:2.3:a:lutils_project:lutils::::::node.js::*

CNA Affected

[
  {
    "product": "lutils",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

snyk.io/vuln/SNYK-JS-LUTILS-1311023

Social References

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.005

Percentile

76.2%

JSON

Related for CVE-2021-23396