CVE-2020-15256 Prototype pollution in object-path

2020-10-1921:25:13

CWE-471

CWE-20

GitHub_M

www.cve.org

cve-2020-15256

object-path

vulnerability

set method

includeinheritedprops

version 0.11.4

version 0.11.5

workaround

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

0.003

Percentile

69.9%

JSON

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don’t use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

CNA Affected

[
  {
    "product": "object-path",
    "vendor": "mariocasciaro",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.11.5"
      }
    ]
  }
]