Lucene search

K
cvelistSnykCVELIST:CVE-2021-23440
HistorySep 12, 2021 - 12:55 p.m.

CVE-2021-23440 Prototype Pollution

2021-09-1212:55:10
snyk
www.cve.org
4
cve-2021-23440
prototype pollution
set-value package
type confusion vulnerability
bypass
cve-2019-10747
user-provided keys
arrays

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

9.5

Confidence

High

EPSS

0.064

Percentile

93.8%

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

CNA Affected

[
  {
    "product": "set-value",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "<2.0.1"
      },
      {
        "status": "affected",
        "version": ">=3.0.0 <4.0.1"
      }
    ]
  }
]

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

9.5

Confidence

High

EPSS

0.064

Percentile

93.8%