Lucene search

GitHub Advisory DatabaseGHSA-CXM3-284P-QC4V

HistorySep 03, 2020 - 3:53 p.m.

Prototype Pollution in sds

2020-09-0315:53:12

CWE-915

CWE-1321

GitHub Advisory Database

github.com

sds

prototype pollution

upgrade

version 4.0.0

software

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

38.8%

JSON

Affected versions of sds are vulnerable to prototype pollution. The set function does not restrict the modification of an Object’s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.

Recommendation

Upgrade to version 4.0.0 or later

Affected configurations

Vulners

Node

sds_projectsdsRange<4.0.0

VendorProductVersionCPE
sds_projectsds*cpe:2.3:a:sds_project:sds:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sds_project	sds	*	cpe:2.3:a:sds_project:sds::::::::

References

github.com/advisories/GHSA-cxm3-284p-qc4v

github.com/monsterkodi/sds/blob/master/js/set.js#L31

nvd.nist.gov/vuln/detail/CVE-2020-7618

snyk.io/vuln/SNYK-JS-SDS-564123

www.npmjs.com/advisories/1506

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

38.8%

JSON

Related for GHSA-CXM3-284P-QC4V