Lucene search

SnykCVELIST:CVE-2020-7743

HistoryOct 13, 2020 - 9:15 a.m.

CVE-2020-7743 Prototype Pollution

2020-10-1309:15:16

snyk

www.cve.org

cve-2020-7743

prototype pollution

mathjs package

deepextend function

configuration updates

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

0.003

Percentile

70.9%

JSON

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.

CNA Affected

[
  {
    "product": "mathjs",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "7.5.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/josdejong/mathjs/blob/develop/src/utils/object.js%23L82

github.com/josdejong/mathjs/commit/ecb80514e80bce4e6ec7e71db8ff79954f07c57e

snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1017113

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1017112

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1017111

snyk.io/vuln/SNYK-JS-MATHJS-1016401

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

0.003

Percentile

70.9%

JSON

Related for CVELIST:CVE-2020-7743