Lucene search

SnykCVELIST:CVE-2021-23419

HistoryAug 08, 2021 - 7:30 a.m.

CVE-2021-23419 Prototype Pollution

2021-08-0807:30:12

snyk

www.cve.org

package open-graph

vulnerability

parse

prototype pollution

object.prototype

constructor payload

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

AI Score

9.7

Confidence

High

EPSS

0.004

Percentile

72.4%

JSON

This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a proto or constructor payload.

CNA Affected

[
  {
    "product": "open-graph",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "0.2.6",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/samholmes/node-open-graph/commit/a0cef507a90adaac7dbbe9c404f09a50bdefb348

snyk.io/vuln/SNYK-JS-OPENGRAPH-1536747

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

AI Score

9.7

Confidence

High

EPSS

0.004

Percentile

72.4%

JSON

Related for CVELIST:CVE-2021-23419