Lucene search

SnykCVELIST:CVE-2021-23507

HistoryFeb 04, 2022 - 8:05 p.m.

CVE-2021-23507 Prototype Pollution

2022-02-0420:05:18

snyk

www.cve.org

cve-2021-23507

prototype pollution

object-path-set

setpath method

incomplete fix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P

AI Score

9.7

Confidence

High

EPSS

0.007

Percentile

80.7%

JSON

The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607908

CNA Affected

[
  {
    "product": "object-path-set",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "1.0.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/skratchdot/object-path-set/blob/577f5299fed15bb9edd11c940ff3cf0b9f4748d5/index.js%23L8

github.com/skratchdot/object-path-set/commit/2d67a714159c4099589b6661fa84e6d2adc31761

snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation/

snyk.io/vuln/SNYK-JS-OBJECTPATHSET-2388576

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P

AI Score

9.7

Confidence

High

EPSS

0.007

Percentile

80.7%

JSON

Related for CVELIST:CVE-2021-23507