Lucene search

GitHub Advisory DatabaseGHSA-8J4W-5FW4-RM27

HistoryAug 27, 2019 - 5:45 p.m.

Prototype Pollution in deeply

2019-08-2717:45:33

CWE-400

GitHub Advisory Database

github.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.007

Percentile

79.7%

JSON

Versions of deeply prior to 1.0.1 are vulnerable to Prototype Pollution. The package fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Recommendation

Upgrade to version 3.1.0 or later.

Affected configurations

Vulners

Node

deeply_projectdeeplyRange<3.1.0node.js

VendorProductVersionCPE
deeply_projectdeeply*cpe:2.3:a:deeply_project:deeply:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
deeply_project	deeply	*	cpe:2.3:a:deeply_project:deeply::::::node.js::*

References

github.com/advisories/GHSA-8j4w-5fw4-rm27

nvd.nist.gov/vuln/detail/CVE-2019-10750

snyk.io/vuln/SNYK-JS-DEEPLY-451026

www.npmjs.com/advisories/1030

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.007

Percentile

79.7%

JSON

Related for GHSA-8J4W-5FW4-RM27